WTF ... Mozilla had always running JavaScript inside PDFs disabled by default.

But now with FF 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?

To disable this:

pdfjs.enableScripting --> false

# FF 78.10 ESR doesn't include this option and still blocks JS in PDFs by default. Just tested.


oopsy ... accidently split the toot... sorry for that.

here a reply I made about Tor-Browser:

Just noticed, the current Tor Browser has this option activated as well (at least on my phone) ... can your real IP be revealed by JS when opening a PDF file? ...I'm not an expert here.. just asking 🤔

There's a (german) vid about JS in PDFs at YT with a testing PDF (creates a popup message) mentioned here:

· · Web · 2 · 3 · 4

@TFG Can you share the link to the PDF ? I don't speak german so I couldn't figure out which one it is, and I'd like to try

@TFG Yes, most browsers run the JS that is embedded in a PDF.

JavaScript can reveal your real IP if an exploit against the browser can be used (eg. the WebRTC leak from a while ago).
I don't know if TB has WebRTC disabled so you might wanna check that.

Sign in to participate in the conversation

A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome!