WTF ... Mozilla had always running JavaScript inside PDFs disabled by default.

But now with FF 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?

To disable this:

pdfjs.enableScripting --> false

# FF 78.10 ESR doesn't include this option and still blocks JS in PDFs by default. Just tested.

@TFG Thanks for this - just fixed it in my FF.

@TFG what would you even do with js in PDF wasn't PostScript already a programming language ?


@TFG Mozilla isn't trustworthy. They've done a lot of shady shit over the last few years, including firing the only people there who were doing anything worthwhile and increasing the salaries of their executives.

"Nonprofit" should mean "the executives also don't profit," but apparently it's totally fine because "We're the *good* guys, not like our corporate mas - uh, I mean, not like Google, who definitely doesn't fund us!"

oopsy ... accidently split the toot... sorry for that.

here a reply I made about Tor-Browser:

Just noticed, the current Tor Browser has this option activated as well (at least on my phone) ... can your real IP be revealed by JS when opening a PDF file? ...I'm not an expert here.. just asking 🤔

There's a (german) vid about JS in PDFs at YT with a testing PDF (creates a popup message) mentioned here:

@TFG JS-in-PDFs get their own sandbox that's much more restrictive than JS-in-webpages, and doesn't offer zero-interaction exfiltration.

@mhoye Do you have a relatively precise pointer to code/docs for this? I'm interested in learning more about how this was implemented. I've also disabled the js-in-pdf feature because it just seems crazy to me. @TFG

@stsp @TFG Main bug is here:

Patch discussion is here:

Upstream pdf.js discussion on preventing cross-origin information leakage is here:

@mhoye @TFG thank you!

@mhoye @TFG Unfortunately most of this is over my head since I'm not a web developer so I cannot make my own assessment. What strikes me is that the discussion seems to revolve mostly around one specific exploit. There's no explanation of how this is secured by design, apart from references to sandboxes (I'd have to research how sandboxing is implemented.)

The referenced pdf.js issue 12744 is not closed yet. Was it just forgotten or does it mean that the underlying issue hasn't been fixed yet?

@stsp @TFG I think it just hasn't been closed yet, but I'll follow up. From discussions with the security team, we're confident we're not subjecting people to additional risk in deploying it.