[Security Tip] Disable JavaScript Execution in PDF Viewer in Mozilla Firefox
Almost all popular web browsers come with built-in PDF Viewer tool which allows users to open and view PDF files inside the web browser without any need of launching a 3rd party PDF editor program to view the file.
In past, people used to install 3rd party PDF viewer software in their computer systems to open and view downloaded PDF files but now there is no need of installing extra software programs as all web browsers now come bundled with built-in PDF Viewer feature.
We can view, print and perform basic operations such as selecting and copying text in PDF files using the built-in PDF Viewer in all web browsers.
Advertisement
Mozilla Firefox browser also comes with a built-in PDF Viewer and if you download any PDF file from Internet, it can automatically open the PDF file as shown in following screenshot:
You can also open locally saved PDF files inside Firefox by typing the full path of PDF file in Firefox address bar or by using a simple drag-n-drop.
Now with the release of Firefox 88 version, Mozilla team has added an extra functionality to its built-in PDF Viewer which might be a security risk, that’s why we decided to create this article.
Mozilla team has enabled JavaScript execution support in its PDF Viewer in Firefox 88 and later versions which means if a PDF file contains some JavaScript embedded, Firefox will automatically execute the JavaScript.
Actually many developers use JavaScript in forms for validation purposes and to implement several interactive features. If a PDF file contains some kind of form to fill, there are chances it might also use JavaScript to validate the form.
In previous Firefox versions, JavaScript execution was disabled by default in PDF Viewer but Mozilla team decided to enable it in Firefox 88 and later versions.
Advertisement
If you don’t fill forms embedded in PDF files, you may safely deactivate and disable JavaScript execution feature in PDF Viewer. Sometimes a PDF file might contain unwanted JavaScript to perform malicious activities.
Mozilla team has provided a hidden preference/flag to enable/disable JavaScript execution support in PDF Viewer in Firefox.
Following steps will help you in turning off JavaScript execution support in built-in PDF Viewer in Mozilla Firefox web browser:
1. Open Firefox and type about:config in the addressbar and press Enter. It’ll show you a warning message, click on “Accept the Risk and Continue” button. It’ll open Firefox’s hidden secret advanced configuration page i.e. about:config page.
2. Now type scripting in Search filter box and look for following preference in the window:
pdfjs.enableScripting
The preference value will be set to true by default in newer versions of Firefox, which means the JavaScript execution is enabled in PDF Viewing tool.
3. To deactivate and disable JavaScript execution in PDF Viewer, double-click on pdfjs.enableScripting preference and change its value to false. Alternatively, you can click on Toggle icon given next to the preference value to change the value.
That’s it. You have successfully disabled JavaScript execution feature in PDF Viewer of Firefox browser.
In future, if you need the JavaScript functionality in PDF file, you can set the above mentioned preference/flag to True again or you can use a 3rd party PDF Viewer program.
Also Check:
[Tip] Disable PDF viewer in Chrome, Firefox, Microsoft Edge and Opera
[Tip] How to Restore “View Image” Option to Context Menu in Mozilla Firefox
[Tip] Take Webpage Screenshot Option Removed from Addressbar in Mozilla Firefox
I am using Firefox ESR(Extended Support Release) v78, currently this flag is not available, but will be added in future, it’s very good information because hackers can target using malicious code in pdf files (if javascript execution enabled).
Thank you for pointing out this possible security issue. I’m glad that the “fix” is so easy.
How do you disable JavaScript from executing in the Chrome PDF viewer? I can’t find a similar preference other than to disable the PDF viewer entirely.