Closed cshaa closed 3 years ago
If I understand it correctly, pdf.js uses a modified version of QuickJS as a sandbox for all inline JavaScript.
That only applies to the GENERIC build of the PDF.js viewer, in the Firefox built-in PDF viewer browser sandboxing is being used; please see https://searchfox.org/mozilla-central/source/toolkit/components/pdfjs/content/PdfSandbox.jsm which loads https://searchfox.org/mozilla-central/source/toolkit/components/pdfjs/content/build/pdf.scripting.js
What can and can't the scripts do?
The features currently implemented can be found in https://github.com/mozilla/pdf.js/tree/master/src/scripting_api
And how likely is it that there are security vulnerabilities?
Most likely, it's going to be very difficult to provide a good answer to such a question.
Note that it you're really worried about security, it's possible to disable scripting support in the Firefox built-in PDF viewer by setting pdfjs.enableScripting = false
in about:config (although doing so will obviously "break" certain documents).
[...] is it possible to send arbitrary requests from PDFs in pdf.js?
For now, no networking support is implemented; please note e.g. https://github.com/mozilla/pdf.js/issues/13266#issuecomment-823882557 and https://github.com/mozilla/pdf.js/issues/13266#issuecomment-824046524.
And more info about Cu.Sandbox
and principal
can be found here:
So it's really the more secure way to execute some external js inside Firefox.
Closing as answered; thanks!
Firefox, starting with version 88, enables JavaScript execution in PDF files (source). If I understand it correctly, pdf.js uses a modified version of QuickJS as a sandbox for all inline JavaScript. What can and can't the scripts do? And how likely is it that there are security vulnerabilities?
The Acrobat JavaScript Reference mentions the
SOAP
object, which should enable scripts to send http requests – is it possible to send arbitrary requests from PDFs in pdf.js? And how likely is it that there exists an exploit that would allow the embedded scripts to do more despicable things, like redirecting the user to a webpage or evaluating arbitrary unsandboxed code?