Follow

WTF ... Mozilla had always running JavaScript inside PDFs disabled by default.

But now with FF 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?

To disable this:

about:config
pdfjs.enableScripting --> false

# FF 78.10 ESR doesn't include this option and still blocks JS in PDFs by default. Just tested.

oopsy ... accidently split the toot... sorry for that.

here a reply I made about Tor-Browser:

Just noticed, the current Tor Browser has this option activated as well (at least on my phone) ... can your real IP be revealed by JS when opening a PDF file? ...I'm not an expert here.. just asking 🤔

There's a (german) vid about JS in PDFs at YT with a testing PDF (creates a popup message) mentioned here:

youtube.com/watch?v=iLVuLWOUyB

@lig @TFG it’s of course jailed in a browser sandbox… so well… also don’t see a big problem with that, unless the PDF reader has vulnerabilities but well… this can happen with any HTML websites with JS, too.

@apokrif @lig @TFG well then use about:config to disable it for your pdf's too

@TFG

In the end a .pdf is like a .html nowadays. I do not think they are riskier than normal pages. They are still limited by the Javascript sandbox.

@TFG Firefox 88.0 release notes list this as a new feature:

mozilla.org/en-US/firefox/88.0

"PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features."

LibreWolf 88.0-1 (as an example) currently leaves this setting enabled. 🤷 I'll probably disable it to start with and see if it causes me any problems. Cheers!

@TFG
> What can possibly go wrong?

Well, the same thing as for webpages, halting problem and no privacy for documents.

@syntax

I just tested it. NoScript does NOT block JS in PDFs.

@TFG oh you mean just like every other page you open in your browser?

@TFG
>JavaScript inside PDFs
How does that even work, I mean what can you do with JS inside PDF documents?

@TFG The problem here is that more and more pdf in the professional space contain and require working js and if Firefox can't compete, it will replaced by chromium_based_xy.

@TFG Can you share the link to the PDF ? I don't speak german so I couldn't figure out which one it is, and I'd like to try

@TFG Yes, most browsers run the JS that is embedded in a PDF.

JavaScript can reveal your real IP if an exploit against the browser can be used (eg. the WebRTC leak from a while ago).
I don't know if TB has WebRTC disabled so you might wanna check that.

@TFG
Wait, PDFs can contain JS? Is the world not fucked enough as it is?

@TFG What is more dangerous about running JS in PDFs you chose to open over running JS in websites you chose to open? JS is explicitly designed to safely run potentially unsafe scripts.

@TFG JS-in-PDFs get their own sandbox that's much more restrictive than JS-in-webpages, and doesn't offer zero-interaction exfiltration.

@mhoye Do you have a relatively precise pointer to code/docs for this? I'm interested in learning more about how this was implemented. I've also disabled the js-in-pdf feature because it just seems crazy to me. @TFG

@mhoye @TFG Unfortunately most of this is over my head since I'm not a web developer so I cannot make my own assessment. What strikes me is that the discussion seems to revolve mostly around one specific exploit. There's no explanation of how this is secured by design, apart from references to sandboxes (I'd have to research how sandboxing is implemented.)

The referenced pdf.js issue 12744 is not closed yet. Was it just forgotten or does it mean that the underlying issue hasn't been fixed yet?

@stsp @TFG I think it just hasn't been closed yet, but I'll follow up. From discussions with the security team, we're confident we're not subjecting people to additional risk in deploying it.

Sign in to participate in the conversation
Linux.Pizza

A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome! Note - signups for gmail.com is temporary blocked due to spam.