sumatrapdfreader
Support JavaScript inside PDFs
This would allow stuff such as https://cdn.jsdelivr.net/gh/osnr/horrifying-pdf-experiments@master/breakout.pdf to work.
Note that sample does not work in Mobiles, Safari or Firefox PDF.js nor in Acrobat 9 or other PDF Readers it is a CHROME script Proof Of Concept using PDF name for demo in unsecured Chrome (and Edge etc) Script engine.
most PDF readers (besides Adobe Reader) don’t implement most of this stuff. But Chrome does implement JavaScript! If you open a PDF file like this one in Chrome, it will run the scripts...
...custom Adobe JavaScript API has an absolutely gigantic surface area. Scripts can supposedly do things like make arbitrary database connections, detect attached monitors, import external resources, and manipulate 3D objects
Inspect how many HTML web based script files the sample is running live and consider they would all need to be copied to OFFLINE cache when not loaded online.
Note the one and only Issue in the source Repo is
You've done a real service by pointing out that PDFs can contain some real horrors. I now feel some real fear about downloading PDFs. Do you know of a tool that would check a PDF file to see if it contained any of the various forms of executable content you've mentioned?
There's also https://pspdfkit.com/blog/2018/how-to-program-a-calculator-pdf/ (works in Mobiles, Chrome, Firefox) and https://pspdfkit.com/blog/2019/create-pdf-game-tic-tac-toe-javascript/ (works in a mobile viewer)
There is also https://www.locklizard.com/track-pdf-monitoring/ a variation of https://www.simonewebdesign.it/how-to-create-web-bug-aka-beacon-image/ has been added to pdfs and just like google stats I could see online which page I had read offline or https://www.komando.com/security-privacy/new-adobe-pdf-bug-can-get-you-hacked-with-just-one-click/460762/ or thousands of other ways to use javascript
There's malicious usage for executables too. Does that mean every system should stop running executables? No, because executables have non-malicious uses too. Same with JavaScript in PDFs.
There could be a warning before JavaScript is ran in the PDF, similar to images in e-mails. (This warning could be turned off in the config)
I use JS daily in Edge PDF browsing / Tracker Xchange XFA Editor etc / Acrobat 3D viewer etc / MuPDF-GL PDF file modifier but have no need for JS whilst everyday fast viewing their slower render printouts.
Sure, but in the thing I'm distributing it with, those aren't really options. Again, a warning before JS runs would work well.
Please let there be at least one pdf reader which is secure. Supporting javascript is awful idea - like others already said. I don't get why there is some need for pdf's to have interactivity and other completely unnecessary features that turn them into websites. Pdf's should be pdf's, websites should be websites.
It very well could just be an opt-in option, and hide it entirely unless it's accepted in the settings.
I still don't think that implementing that would be good idea - even keeping this as optional. If there is no way to invoke javascript it guaranties that no malicious scripts would be ever invoked. It's the best kind of safety. But if Sumatra would have that option (to invoke javascript) it could very well be exploited by some people as they would write malware targetting it, that could for example change it's settings behind our backs. Not to mention, it's normal for any software to have some bugs. One could for example overwrite settings or make Sumatra not respect disabling javascript. It's just speculation not backed by knowledge (i just use common sense) but I think it's the best to have absolute certainty and not leave room for any risk at all when it's not necessary. And for some fancy features I think it's completely not worth it. Especially when there are other pdf reader alternatives that already support javascript. Why is there need for Sumatra to follow this trend too?