The article is a bit one-sided: it reviews the topic only from the aspect of ren... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		patrakov on April 13, 2024 \| parent \| context \| favorite \| on: Browser Security Bugs That Aren't: JavaScript in P... The article is a bit one-sided: it reviews the topic only from the aspect of rendering PDFs using a copy of pdf.js embedded in a web browser. However, this is not the only copy of pdf.js. It would be interesting to check software like NextCloud or its proprietary workalikes (e.g., PCloud) for their handling of untrusted JavaScript in PDF files shared through these platforms.

bawolff on April 13, 2024 [–]

They are mostly talking about chrome which does not use pdf.js (unless they changed it)

In any case, its pretty similar in both cases. Even in the client side rendering case, if there is a sandbox you still have to escape it before your script execution is a real vuln.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact