Best practice for safe viewing of PDFs posted to list

Riad S. Wahby rsw at jfet.org
Wed Jun 10 15:01:39 PDT 2015


Seth <list at sysfu.com> wrote:
> Curious if the advice given above is still relevant and also what other on
> the list recommend for safe viewing of PDFs.

If your web browsing habits don't include NoScript, then you're likely no
worse off using pdf.js to view PDFs than you are browsing arbitrary websites.
After all, pdf.js has no more or less permissions than any other JS you might
encounter in the wild; and since pdf.js is bundled with modern versions of
Firefox, you might be inclined to think that it's likely non-malicious even if
it's exploitable by rogue PDFs. But that's no worse than some JS malware you
were fed via DNS poisoning or CDN hijacking.

(This can be seen either as an implicit endorsement of pdf.js or of NoScript.)

-=rsw



More information about the cypherpunks mailing list