WTF ... Mozilla had always running JavaScript inside PDFs disabled by default.

But now with FF 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?

To disable this:

pdfjs.enableScripting --> false

# FF 78.10 ESR doesn't include this option and still blocks JS in PDFs by default. Just tested.


@TFG Maybe, they are sure that it's jailed properly now?

@lig @TFG it’s of course jailed in a browser sandbox… so well… also don’t see a big problem with that, unless the PDF reader has vulnerabilities but well… this can happen with any HTML websites with JS, too.

@apokrif @lig @TFG well then use about:config to disable it for your pdf's too

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.