But now with FF 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?
To disable this:
pdfjs.enableScripting --> false
# FF 78.10 ESR doesn't include this option and still blocks JS in PDFs by default. Just tested.
@TFG JS-in-PDFs get their own sandbox that's much more restrictive than JS-in-webpages, and doesn't offer zero-interaction exfiltration.
@mhoye @TFG Unfortunately most of this is over my head since I'm not a web developer so I cannot make my own assessment. What strikes me is that the discussion seems to revolve mostly around one specific exploit. There's no explanation of how this is secured by design, apart from references to sandboxes (I'd have to research how sandboxing is implemented.)
The referenced pdf.js issue 12744 is not closed yet. Was it just forgotten or does it mean that the underlying issue hasn't been fixed yet?
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!