Snuffleupagus
commented
3 years ago If I understand it correctly, pdf.js uses a modified version of QuickJS as a sandbox for all inline JavaScript.
That only applies to the GENERIC build of the PDF.js viewer, in the Firefox built-in PDF viewer browser sandboxing is being used; please see https://searchfox.org/mozilla-central/source/toolkit/components/pdfjs/content/PdfSandbox.jsm which loads https://searchfox.org/mozilla-central/source/toolkit/components/pdfjs/content/build/pdf.scripting.js
What can and can't the scripts do?
The features currently implemented can be found in https://github.com/mozilla/pdf.js/tree/master/src/scripting_api
And how likely is it that there are security vulnerabilities?
Most likely, it's going to be very difficult to provide a good answer to such a question.
Note that it you're really worried about security, it's possible to disable scripting support in the Firefox built-in PDF viewer by setting pdfjs.enableScripting = false in about:config (although doing so will obviously "break" certain documents).
[...] is it possible to send arbitrary requests from PDFs in pdf.js?
For now, no networking support is implemented; please note e.g. https://github.com/mozilla/pdf.js/issues/13266#issuecomment-823882557 and https://github.com/mozilla/pdf.js/issues/13266#issuecomment-824046524.
calixteman
timvandermeij
Firefox, starting with version 88, enables JavaScript execution in PDF files (source). If I understand it correctly, pdf.js uses a modified version of QuickJS as a sandbox for all inline JavaScript. What can and can't the scripts do? And how likely is it that there are security vulnerabilities?
The Acrobat JavaScript Reference mentions the
SOAPobject, which should enable scripts to send http requests – is it possible to send arbitrary requests from PDFs in pdf.js? And how likely is it that there exists an exploit that would allow the embedded scripts to do more despicable things, like redirecting the user to a webpage or evaluating arbitrary unsandboxed code?