WTF ... Mozilla had always running JavaScript inside PDFs disabled by default.

But now with FF 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?

To disable this:

pdfjs.enableScripting --> false

# FF 78.10 ESR doesn't include this option and still blocks JS in PDFs by default. Just tested.



In the end a .pdf is like a .html nowadays. I do not think they are riskier than normal pages. They are still limited by the Javascript sandbox.

Regístrate para participar en la conversación es una instancia generalista y ligeramente moderada. Bienvenidos todos los temas con buena onda, respeto y sin desnudos innecesarios :). Castellano/Español y otros lenguages bienvenidos. / is a generalist instance lightly moderated. All opinions are welcome. Be cool, respectful and leave your clothes on if possible :) Spanish preferred but all languages are welcome.