@mozillianthe federal government of the United States is using JavaScript in many PDF forms, for example the ones used by citizens to submit their taxes.
If you consider the U.S. federal government to be a malicious actor, you should know other governments too use JS in PDFs, e.g. at least Italy and the United Kingdom.
Jokes aside, you can rest assured that the implementation in our PDF viewer is the most secure JS implementation possible. As the PDF viewer is basically a web page (being itself written in HTML, CSS and JavaScript). So in Firefox, JS in a PDF has exactly the same level of security as JS in a web page.
That said, in about:config, you can use the pdfjs.enableScripting preference to disable JS in PDFs and the javascript.enabled preference to disable JS in web pages.
@marcoi have no doubts on the security of the implementation of Javascript in PDF files, though is it at all possible you guys could at least add an "Enable javascript?" pop-up when a PDF file requests it? Just in case
If we did that, we would need to do the same for JavaScript in normal web pages too, as they have basically the same security characteristics. It would be a pretty bad user experience.