But now with FF 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?
To disable this:
pdfjs.enableScripting --> false
# FF 78.10 ESR doesn't include this option and still blocks JS in PDFs by default. Just tested.
oopsy ... accidently split the toot... sorry for that.
here a reply I made about Tor-Browser:
Just noticed, the current Tor Browser has this option activated as well (at least on my phone) ... can your real IP be revealed by JS when opening a PDF file? ...I'm not an expert here.. just asking 🤔
There's a (german) vid about JS in PDFs at YT with a testing PDF (creates a popup message) mentioned here:
@TFG Firefox 88.0 release notes list this as a new feature:
LibreWolf 88.0-1 (as an example) currently leaves this setting enabled. 🤷 I'll probably disable it to start with and see if it causes me any problems. Cheers!
How does that even work, I mean what can you do with JS inside PDF documents?
@TFG The problem here is that more and more pdf in the professional space contain and require working js and if Firefox can't compete, it will replaced by chromium_based_xy.
@TFG Can you share the link to the PDF ? I don't speak german so I couldn't figure out which one it is, and I'd like to try
@TFG Yes, most browsers run the JS that is embedded in a PDF.
I don't know if TB has WebRTC disabled so you might wanna check that.
@TFG Mozilla isn't trustworthy. They've done a lot of shady shit over the last few years, including firing the only people there who were doing anything worthwhile and increasing the salaries of their executives.
"Nonprofit" should mean "the executives also don't profit," but apparently it's totally fine because "We're the *good* guys, not like our corporate mas - uh, I mean, not like Google, who definitely doesn't fund us!"
Useful hint. Ill report to friends as possible cve. Who should be credited as author of this finding?
If thats your original finding, i can help to connect you through linkedin or twitter with someone who will reproduce, notify mozilla, report cve.
I can try to help with reproducing part on ubuntu desktop and android mobile if given proper sample pdf.
yes it definitely is a vulnerability. But I guess they think of it as a feature, if I read the changelog.
If reported, all credits should go to the guys of sempervideo.de .. I just spread word of that issue.
funny side fact: I just opened the testing pdf with the standard pdf viewer from Debian/Gnome and with Okular. Both don't execute the embedded JS 🙂
Can you drop safe test pdf and describe to layman how to reproduce this on ff88ubuntu and ff88android and prove okular is immune?
I will try to reproduce and write report on this.
@TFG What is more dangerous about running JS in PDFs you chose to open over running JS in websites you chose to open? JS is explicitly designed to safely run potentially unsafe scripts.
@TFG JS-in-PDFs get their own sandbox that's much more restrictive than JS-in-webpages, and doesn't offer zero-interaction exfiltration.
@stsp @TFG Main bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1667973
Patch discussion is here: https://phabricator.services.mozilla.com/D91746
Upstream pdf.js discussion on preventing cross-origin information leakage is here: https://github.com/mozilla/pdf.js/issues/12744
@mhoye @TFG Unfortunately most of this is over my head since I'm not a web developer so I cannot make my own assessment. What strikes me is that the discussion seems to revolve mostly around one specific exploit. There's no explanation of how this is secured by design, apart from references to sandboxes (I'd have to research how sandboxing is implemented.)
The referenced pdf.js issue 12744 is not closed yet. Was it just forgotten or does it mean that the underlying issue hasn't been fixed yet?
A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome!