@mozillianthe federal government of the United States is using JavaScript in many PDF forms, for example the ones used by citizens to submit their taxes.
If you consider the U.S. federal government to be a malicious actor, you should know other governments too use JS in PDFs, e.g. at least Italy and the United Kingdom.
Jokes aside, you can rest assured that the implementation in our PDF viewer is the most secure JS implementation possible. As the PDF viewer is basically a web page (being itself written in HTML, CSS and JavaScript). So in Firefox, JS in a PDF has exactly the same level of security as JS in a web page.
That said, in about:config, you can use the pdfjs.enableScripting preference to disable JS in PDFs and the javascript.enabled preference to disable JS in web pages.
@marcoi have no doubts on the security of the implementation of Javascript in PDF files, though is it at all possible you guys could at least add an "Enable javascript?" pop-up when a PDF file requests it? Just in case
If we did that, we would need to do the same for JavaScript in normal web pages too, as they have basically the same security characteristics. It would be a pretty bad user experience.
The browser can distinguish between them, but, as I said above, they have exactly the same security characteristics. JavaScript in a PDF can't do anything more than JavaScript in a website.
Given that, why would we treat JavaScript in a PDF differently than JavaScript in a website?
I mean, people don't expect PDF files to use javascript, other then possibly somehow being leveraged for compromising security, (unsure) they might somehow be used to track how the people interact with the file? Or possibly a malicious actor might just use javascript to trigger somebodies epilepsy by flashing colors on & off on people's screens... I honestly don't know how much javascript firefox allows to be in pdf files but in the end if it's the same amount as html websites then that might be leveraged just to cause inconvenient stuff possibly, and it's not like this is a very-very essential feature that people use everyday so why risk it instead of showing a small pop-up that'll probably bother a normal user like once every 2 years or something and possibly just have a "remember option" button in the settings? That aside, a truly dedicated malicious actor would probably find some way to leverage it for their own benefit, and a truly dedicated malicious actor is probably up to no simple troll.
@mozillian the thing is: the same applies to normal websites. E.g. a malicious actor might use javascript to trigger somebody epilepsy by flashing colors on normal websites just as on PDFs.
If we believe JavaScript in Firefox is risky, then it is risky exactly in the same way in PDFs as in normal websites and we would need to block its execution and ask the user in both normal websites and PDFs. There is no point in making a difference because the characteristics are basically the same.
In other readers the situation is very different because they are native and so prone to security bugs.
I know this thread is pretty old, but I have to chime in because I use No-Script to handle java execution on websites for security. Surfing the web without No-Script is like having sex with random people without using protection. It's just a matter of time before you catch an STD. Using No-Script, in conjunction with an option to disable java in PDF files viewed in Firefox, would be ideal, as I use Firefox to view PDF files by default. The fact that most all PDF files are compressed with high entropy is cause for concern at the very least. AV databases cannot detect malicious code embedded in PDF files in the wild that are novel. If a website does not load properly when I have No-Script running, I usually just leave that site and don't go there unless I trust the site 100%. There is no "running away" from a compressed PDF file with unknown java that runs when you open it.
This thread raises valid concerns about JavaScript in PDFs, but I can see Mozilla's point about treating it the same as JavaScript on websites. A simple "Enable JavaScript?" pop-up for PDFs, with a "remember this choice" option, could strike a good balance between security and user experience.
As someone with scripting experience (especially in environments like Roblox, where scripts can also be exploited), I get the importance of user control over script execution. A feature like this could give advanced users peace of mind without overcomplicating things for everyone else.