Firefox 88 Enables JavaScript Embedded In PDFs By Default 100
ewhac writes: Firefox has long had a built-in PDF viewer, allowing users to view PDF files in the browser without having to install a third-party application. In addition to the other weird things PDF files can contain, one of them is JavaScript. Putatively offered as a way to create self-validating forms, this scripting capability has been abused over the decades in just about every way you can imagine. Firefox's built-in viewer, although it has apparently had the ability to execute embedded JS for some time, never turned that feature on, making it a safe(r) way to open PDFs... Until now. The newly released Firefox version 88 has flipped that switch, and will now blithely execute JavaScript embedded in PDFs. Firefox's main preferences dialog offers no control for turning this "feature" off.
To turn off JavaScript execution in PDFs: Enter about:config in the address bar; click "I'll be careful." In the search box near the top, enter pdfjs.enableScripting. Change the setting to False. Close the page.
To turn off JavaScript execution in PDFs: Enter about:config in the address bar; click "I'll be careful." In the search box near the top, enter pdfjs.enableScripting. Change the setting to False. Close the page.
Security (Score:5, Funny)
Infosec workers need jobs too. Think of all the jobs that would be lost if we didnâ(TM)t have software with bugs. Same reason you donâ(TM)t want robots making stuff.
Shallow Security (Score:2)
Isn't that another word for, 1,000.00 eyes need to stay employed?
JavaScript (Score:5, Funny)
It's the new and improved Flash!
Re: (Score:2)
That would be SVG and CSS.
Re:JavaScript (Score:4, Informative)
Flash's ActionScript and JavaScript are closer than you remember. They're both defined by ECMA-262, after all. The biggest difference, really, is that AS, rather foolishly, has classical objects.
Re: (Score:1)
Thank you. (Score:5, Informative)
Thank you for the helpful instructions in the summary for how to work around this bug.
Re: (Score:3, Interesting)
It's not a bug. In fact, this is going to be great for users who struggle with PDFs because they don't handle scripting. While it may not be common in your experience, ordinary users interact with PDFs very frequently -- and many require scripting to properly interact with them.
Lack of scripting was a real problem. Now it's not.
Re: (Score:2)
What's any use case for scripting in a PDF? Most PDFs I've seen are used for dead text, or forms, or even some self-published ebooks.
PDFs entire point is that they are specific renderings.
Re:Thank you. (Score:5, Informative)
Dynamic forms that change based on user input. Checking entries for correct formatting. Useful features but this is going to end poorly.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2, Interesting)
It's not adding anything new so there is no reason why it would create additional security problems.
PDFs are rendered by Javascript in Firefox. It's called PDF.js and renders the document using HTML and CSS. The only issue was that it didn't implement the PDF API, but they have added that now. The API is implemented in Javascript so again, it's just using what has been there for years.
There's nothing the Javascript in a PDF can do that Javascript on the web can't. It's a subset and in Firefox it's built ent
Re: Thank you. (Score:1)
Except it introduces a new vector for those attacks which most websites will not be designed to mitigate.
We've got used to sanitising user input to strip out unwanted tags in user-supplied HTML, but I've never come across sites that sanitise PDF uploads in this manner.
Any site that allows users to upload PDF files - like, say, Wikipedia - has just been made significantly less secure by this change.
Re: (Score:1)
If you are relying on the website to mitigate you are already screwed.
Re: (Score:1)
So, yes, we are now relying on the website. And, yes, we are now screwed.
Thanks, Firefox!
Re:Thank you. (Score:5, Insightful)
THe lack of scripting was a feature. I could safely open a pdf without worrying about what it was doing. The addition of scripting makes it a security hole.
Re: (Score:3)
Agreed. One more thing to have to worry about for those of us who care even a little bit about security.
Adding support for JS in PDF wasn't necessarily a heinous idea, but enabling it by default IMO very much was.
Re: (Score:2)
Re: (Score:2)
Firefox has regular users? I think by now the people who use firefox still are die-hards like myself who know it inside and out and are willing to tolerate the inevitable breakage th
Re:Thank you. (Score:5, Insightful)
There's an obvious simple way to deal with scripting in PDFs: when a PDF has scripts, display a prompt asking the user if they want to run the scripts. If they're expecting a complicated form to fill out, they can say yes. If they're expecting reading material like the vast majority of PDFs are, they can say no.
Re: (Score:2)
Does this mean that I am going to be able to prepare my FBAR [treas.gov] submission using Firefox on Linux?
Re: (Score:2)
Re: (Score:2)
You did it online. That's a one-shot process.
My FBAR takes more time, so I don't want to either risk a problem with a one-shot process, nor re-enter all the data every year.
Re: (Score:2)
Re: (Score:2)
It's more about the number of accounts than the amounts in them.
Re: (Score:2)
Sounds like a misfeature. PDF was originally a read-only document format. No writing, no certs, no actions. Read. Only. If you need something more than that then use a different friggin tool.
Re: (Score:2)
I can verify this (Score:5, Informative)
Re: (Score:2)
Re:I can verify this (Score:5, Informative)
Re: (Score:2)
"Feature", indeed. This is beyond braindead, as macOS handles PDF natively by itself.
Re: (Score:3)
The excellent PDF support of MacOS is probably the best PDF implementation out there but it is still an OS library running natively on the system written in a C based language.
Firefox's slower JS, SVG powered PDF viewer is never going to compete for speed or resource usage; however, it is running in a heavily attacked sandbox: the browser itself, which in turn, is a browser app which I believe doesn't even use the system's native font rendering engine.
The most safe thing you can use is the firefox PDF view
Re: (Score:2)
Correction, I looked and it appears to all be html with the canvas instead of SVG...perhaps it was but now it's canvas. So it's converted PDF into html + canvas so why are we freaking about javascript?
Re: (Score:2)
"As secure as any webpage" is a euphamism for "not secure".
Re: (Score:2)
Re: (Score:2)
There was a story submission here a couple of days ago - which I don't think was accepted - which contained a link showing how to use Policies [linuxreviews.org]. I looked at the documentation and one of the available policies is DisableBuiltinPDFViewer which would solve this problem with extreme prejudice.
The article assumes you are using Linux, Policies are also available under the Mac or Windows, although I think the Windows variation means you have to copy the policy file after every update and I don't even know where t
Re: (Score:2)
I don't want PDFs to open in Firefox. How do you completely turn the "feature" off?
Don't click on PDF URLs.
Re: (Score:2)
That got turned of PDQ (Score:2)
More security incidents incoming (Score:2)
Google and Adobe basically control Firefox now, if Mozilla wasn’t bound by them they wouldn’t be removing much loved features or enable javascript in inappropriate contexts.
Why (Score:4, Insightful)
I have never seen a PDF that had trouble rendering and made me say, "If only this had Javascript enabled." I've seen weird PDFs, but not that one.
So what is the use case for this? Who is doing things with it that it needs to be enabled?
Re: (Score:2)
So what is the use case for this?
Like TFS says: for form validation.
Re: (Score:2)
I mean, is that something you see commonly (ever) in PDFs? What I mean is who is doing that? Is this something accountants do a lot with PDFs, or is it common in the banking industry? I don't see it very often, and I want to know where it is trendy.
Re: (Score:2)
I'm surprised you haven't run across anything yet. I see it very frequently. Hell, even the local radio club uses scripting on their application.
I've seen a few PDFs where some of the fields can only be filled out by a script, totaling or doing some other calculation based on data you've entered elsewhere. I've seen others where scripting is used to offer online help. Still others that alert users that some fields haven't been completed or haven't been completed properly.
I have to wonder though, if PDF
Re:Why (Score:5, Insightful)
I suspect it has little to do with the language. It's just the result of embedding an executable scripting language inside a document, which now means opening a document is just as dangerous as running a random executable. This exact same pattern happened with Microsoft Word or Excel docs using VB Script. As a consequence, these days scripting is typically turned off by default, and must be done explicitly by the user, with appropriate warnings first.
Another example is HTML e-mail. These days, many features provided by HTML (scripting, even loading remote images) ended up being too exploitable, and are disabled by default. It's another case of engineers thinking first about functionality, and not considering potential negative consequences until far too late. That was excusable a few decades ago, but not today.
The problem is that the same features that make a scripting language really useful turn out to be good for writing malware as well.
Re: (Score:2)
Maybe, but this is running inside a web browser, which, by necessity, has scripting running by default anyway. Scripting in a PDF here should be no more dangerous than scripting on a web page.
Believe it or not, it is possible to do scripting safely these days. This isn't 1997, after all. You forget, we let scripts and applets do pretty much anything back then -- including have full file system access! It only make sense to completely disable them. The need for those draconian measures, however, is lon
Re: (Score:2)
Believe it or not, it is possible to do scripting safely these days.
I don't really believe it.
Re: Why (Score:2)
Re: (Score:2)
Dead God (Score:2)
WHY!?
Also, why wasn't PDF extended with PostScript (a stack-based multi-paradigm programming language) instead of JavaScript? And given that we can JIT JavaScript and precompile TypeScript, why are there not tools that compile JavaScript to PostScript?
Re: (Score:2)
I have a toy FORTH to ASM.js, going the other way is not exactly rocket science.
Danger Will Robinson! (Score:1)
This is really a security oversight and someone should be held accountable for it.
What does it matter? (Score:2)
If their javascript sandbox is broken I'm in bigger trouble from browsing than opening PDFs.
I guess some very paranoid firefox users who turn javascript off on the web might get significant additional attack surface this way, but for me it's a nothingburger.
Re:What does it matter? (Score:5, Informative)
That depends on whether whatever extension(s) you use to block hostile content will detect that content within PDFs as well. I've seen reports suggesting they won't, possibly because of a strange consequence of the PDFJS integration that means the PDF content gets treated more like browser chrome than page content, but I'm still looking for authoritative answers.
Re: (Score:2)
The attack isns't always malware. Usually the attack comes in the form of unwanted advertisement, tracking, monetization and other creepy features. Don't forget sucking up loads of additional bandwidth and cpu. Why is my phone so much slower than my laptop when browsding the web, because the phone has all ads and scripts enabled and it takes a long time showing you ads and videos and whatnot before it can be bothered showing you the first word of the content you care about. Just what we need, PDFs that t
Mozilla... why? (Score:5, Insightful)
What a stupid move. As far as I know, it's pretty rare that this functionality is needed, and is why Javascript was turned OFF by default previously, even by many stand-alone readers. There have been many PDF-based attacks that relied on Javascript exploits over the years. Are they not aware of this?
They must be very confident that they've sandboxed their reader well enough, but you know how that goes. They're exposing 99.9% of users for the 0.1% that actually needs this additional, dangerous functionality. Far better would be an option that allowed you to turn this functionality on ONLY IF the PDF only required it. And better yet, only enable it for that ONE PDF, not all of them.
I'm having a hard time figuring out why Mozilla thought this was a good idea. I've just disabled it for myself. Appreciate the heads-up, Slashdot.
Wow (Score:2)
I just upgraded. Thanks for the timely warning /.
I don't know who thought JS in PDFs was reasonable.
Department of redundancy department (Score:5, Insightful)
PDF and Postscript are already Turing complete languages, why does it need Javascript bolted on the side?
Re: (Score:2)
PDF and Postscript are already Turing complete languages, why does it need Javascript bolted on the side?
I'm overrun with applicants listing PDF and Postscript languages on their resumes (COBOL developers too for that matter). A good Javascript developer is like finding a needle in a haystack.
Re: (Score:2)
A Javascript to Postscript (or PDF) compiler would make a lot more sense.
Department of Javascript department (Score:2)
You may be looking in the wrong place. [steampowered.com]
Tools that use Javascript may be a hidden source of expertise.
Re: (Score:2)
PostScript is a Turing-complete stack-based language, but PDF is not not Turing-complete. That's part of the reason PDF is more efficient to render.
Re: (Score:2)
Surely bolting Javascript on to the side won't help rendering.
I see upon further research that the restrictions in PDF eliminate Turing completeness, but should still offer enough for form validation.
Re: (Score:2)
Oh, I don't think JavaScript in PDF is a great idea - we're bad enough at sandboxing it in web pages, sandboxing it in PDFs will be another can of worms. I don't even particularly like PDF forms or other fancy features, I liked it when it was just a light-weight page description language.
blithely - nice (Score:3)
Firefox's built-in viewer, although it has apparently had the ability to execute embedded JS for some time, never turned that feature on, making it a safe(r) way to open PDFs... Until now. The newly released Firefox version 88 has flipped that switch, and will now blithely execute JavaScript embedded in PDFs.
In a future release, Firefox will also have a built-in Flash engine ...
Re: (Score:3)
In a future release, Firefox will also have a built-in Flash engine ...
No, that's been deprecated in favor of a web-facing root shell. Much more capable, and faster, native.
What fun (Score:2)
The only people who should ever being dealing with a PDF file are people making something to print out. Use PDF files for any other reason, you are an asshole.
Dafuq? (Score:5, Insightful)
So they disabled FTP but enabled javascript in PDF?
I assume the devs that did this live someplace where marijuana is legal... because the alternative is that they're smoking crack.
Re: (Score:3)
This is so insightful that I had to comment on it rather than just mod you as such.
Re: (Score:1)
I assume the devs realise that many PDFs (especially the kind which are purchased or part of a subscription) have embedded Javascript, and yet no one is stupid enough to actually want an FTP client in a browser in 2021.
But hey we're talking about a tale of two equals: A browser which only ever implemented a small subset of the FTP protocol and was functionally useless for the purposes FTP was invented, and a browser which only ever implemented a subset of the PDF capabilities and was functionally useless fo
Re: (Score:2)
Proper PDFs have always worked in the browser. The PDFs that do not work have glaring flaws in them, such as needing a script, asking for input from the user, etc. PDF is for reading documents, and anyone trying to make it do more than that is either stupid or working for Adobe (but I repeat myself).
Can HTML5 format like PDF? (Score:2)
Do we still need PDF or can HTML5 control formatting close enough to get rid of this legacy PIA? Especially for emails. PDF attachments are a nuisance.
Re: (Score:2)
They serve different purposes, and, although there are HTML+CSS Print to PDF converters, I do not believe they can guarantee pixel-perfect layout as PDF can.
PDF was designed as a page description language, and it's great for that purpose. It starts to get clunky (and potentially hazardous) when it is co-opted for things like fillable forms. I think we need something better than PDF for that specific purpose.
Oh, this can't be good... (Score:2)
user.js (Score:2)
user_pref( "pdfjs.enableScripting", false) ;
to my user.js
Another reason not to use that SPoS (Score:2)
Clicking on a PDF means: download to download folder! Not "open in browser" where you have to click "save as ..." again. Oh, you can't click "save as ..." unless you are on a Mac, as the menu bar is gone.
Retards doing software ... and because they claim it is open source they are proud about the shit they program.
Slippery slope (Score:2)
What will they do next, enable JS in HTML documents?
I really don't understand the brouhaha, what is the big difference between opening a JS-enabled HTML document in your browser and a JS-enabled PDF document in your browser? Is there some specific exploit that only works in PDFs?
Re: Slippery slope (Score:2)
Yes, I remember Adobe Acrobat Reader being hacked with that, a decade or more ago.
PDF is just basically PostScript with loops unrolled and everything... And PS is a programming language for a platform that runs on (proper) printers. Like an app for printers.
So yeah, PDF already got an attack surface the size of an OS or processor architecture. It does not really need JS for that. Although a JS interpreter is likely written by less competent people than a PS greybeard.
Re: (Score:2)
PDF is just basically PostScript with loops unrolled and everything... And PS is a programming language for a platform that runs on (proper) printers. Like an app for printers.
So yeah, PDF already got an attack surface the size of an OS or processor architecture.
I recall back in '88 when I moved to Silicon Valley for a project. The company had just gotten a spiffy new apple laser printer with that new-fangled postscript. And fractals (mainly the Mandelbrot set), also new-fanglled, were all the rage.
One of
I'll be careful? (Score:2)
Bit o' irony there, having to promise I'll be careful to turn off a feature that is anything BUT careful...
about:config -- Yikes! (Score:2)
I just entered about:config in the address, and after promising to be a good boy, I got some enormous list of config settings I had never heard of before. I have suspected for some time that web browsers have got far too big. Firefox is eating so much memory over multiple tabs that I have to reboot every few days. I gave up on Chromium, because that was even worse. My machine would grind to a halt once all the swap was used up. I like my multiple tabs, for web mail, news, online suppliers, and whatever PDF
Re: about:config -- Yikes! (Score:2)
Were you born yesterday?
about:config is *ancient*
And yes, a literal fucking OS amd VM has a lot of settings. Take a look at the Windows registy for comparison.
Re: (Score:2)
about:config is *ancient*
If I fiddle with Firefox settings, it is via a GUI menu, rather than the list that about:config provides. I presume the GUI menu hides a great deal, so ignorant users like me can't do too much damage.
That's nothing! (Score:2)
Firefox 89 will have a real live kitchen sink! It looks just like one of the 3958 ones on Chrome. ;)
(Fun fact: "88" is neo-Nazi code for "Heil Hitler".)
Re: (Score:2)
Firefox 89 will have a real live kitchen sink! It looks just like one of the 3958 ones on Chrome.
Did they get it from emacs?
So don't use the built-in viewer (Score:2)
The story notes a config that can block js in the viewer. There's always the option that tags PDF files for opening with an external viewer, too. I use Sumatra, which doesn't seem to run javascript. Just open Options/Preferences, scroll down to Applications, and set PDF to open with your favorite viewer. Pro tip: Adobe is not the best viewer for the purpose, as it happily runs javascript in PDF documents.