Techly NewsGet the app

Get the latest tech news

Browser Security Bugs That Aren't: JavaScript in PDF


A fairly common security bug report is of the form: “I can put JavaScript inside a PDF file and it runs!” For example, open this PDF file with Chrome, and you can see the alert(1) messa…

A fairly common security bug report is of the form: “ I can put JavaScript inside a PDF file and it runs! Support for JavaScript within PDFs is by-design and expected by the developers of PDF rendering software, including common browsers like Chrome and Edge. That describes a classic Stored XSS Attack, and it presents a security threat because the embedded script can steal or manipulate cookies (by accessing the document.cookie property), manipulate web platform storage (IndexedDB, localStorage, etc), conduct request forgery attacks from a 1st party origin, etc.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of PDF

PDF

Photo of javascript

javascript

Related news:

News photo

Show HN: A JavaScript library for data visualization in both SVG and Canvas

News photo

Show HN: Next-token prediction in JavaScript – build fast LLMs from scratch

News photo

JavaScript Runs the World—Maybe Even Literally

DIY Wi-Fi thermostat from scratch with ESPHome and Home Assistant »