GPO setting to disable Javascript in PDF viewer
27 views
Skip to first unread message
Osdoba, Sascha
Dec 8, 2025, 5:35:40 AMDec 8
to enter...@mozilla.org
Hi Mike,
maybe its possible to have a setting to disable JS via GPO in future? I know its possible to do it in other ways but GPOs are the best way for us.
Thanks
Sascha
maybe its possible to have a setting to disable JS via GPO in future? I know its possible to do it in other ways but GPOs are the best way for us.
Thanks
Sascha
Calixte Denizet
Dec 8, 2025, 12:17:25 PMDec 8
to Osdoba, Sascha, enter...@mozilla.org
Hey Sascha,
Out of curiosity, why do you want to do that ?
Calixte
--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/86d9d29051b54d12a72546ea69d2518d%40gsi.de.
Osdoba, Sascha
Dec 9, 2025, 4:08:25 AMDec 9
to Calixte Denizet, enter...@mozilla.org
Hi Calixte,
last week we saw a PDF with malicious JS code inside which was sent to a user. File was opened from user with reader app
and there file told the user to open it in a browser. IT Security team investigated and asked us if we can disable JS in all our PDF
reader apps and in the browsers as well. So we want to check the possibilities first.
For our reader apps we can do it, for Edge browser some little workaround is necessary because MS has no GPO setting for it.
Firefox also not and that’s why a GPO for Firefox would be helpful.
Sascha
Calixte Denizet
Dec 9, 2025, 4:33:35 AMDec 9
to Osdoba, Sascha, enter...@mozilla.org
Hi Sascha,
Would it be possible to have the PDF (with sensitive info removed) ? You can send it to me privately.
Acrobat
used to have a lot of security issues with their implementation of JS
execution and a lot of people continue to consider that "JS in PDF" is
terrible, whatever the viewer is.
In our case,
the JS is executed within a sandbox (the same used for web extensions),
there is no access to the file system, no stuff related to the network
and no way to access to the DOM.
We implemented that stuff
almost 5 years ago and we never had a serious security issue. Most of
the bugs are not real bugs
(see https://bugzilla.mozilla.org/show_bug.cgi?id=1747390).
Honestly,
executing JS coming from a PDF is very likely safer than the one in a
normal web page, so I'd be very surprised to see a real security
problem. That being said, if such a problem exists then it'd be better
to fix it.
Anyway, having such a setting is a good idea.
Thank you.
Calixte
Reply all
Reply to author
Forward
0 new messages