WTF ... Mozilla had always running JavaScript inside PDFs disabled by default.

But now with FF 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?

To disable this:

pdfjs.enableScripting --> false

# FF 78.10 ESR doesn't include this option and still blocks JS in PDFs by default. Just tested.

@TFG Maybe, they are sure that it's jailed properly now?

@lig @TFG it’s of course jailed in a browser sandbox… so well… also don’t see a big problem with that, unless the PDF reader has vulnerabilities but well… this can happen with any HTML websites with JS, too.

Sign in to participate in the conversation
Embracing space

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!