NORTH AMERICA:  
844 569 7907
UK & EUROPE:  
+44 (0)7380 274238

Why using JavaScript in PDF files is a security risk

in , , ,

JavaScript security vulnerabilities & how to remove JS from PDFs

Learn how JavaScript works in PDFs, what JS PDF code is used for, why adding JavaScript to PDF files is a bad idea, and why JavaScript is not a secure way to protect documents.

   What is JavaScript?


JavaScript is a scripting language that is used to update and change how an application behaves.  This may be as simple as changing button functionality (or removing it), changing form fields, performing calculations, or preventing use of certain functionality.

The Adobe PDF format and JavaScript (PDF JS) have a long history.  Adobe initially introduced it as a plugin to Adobe Acrobat in 1996 and eventually included it in the PDF specification in 2006.  At the time, it was viewed as a simple way to enable users to make PDFs more interactive and advanced.  Today, however, it represents one of the format’s biggest security vulnerabilities.

Is JavaScript in PDF files safe?

Adobe have previously warned that JS in PDFs is a security risk – it is regularly used by hackers to gain access to computers and their data – this is true even for certified (digitally signed) PDF files.

By forcing users to enable JS, you put their devices at risk, which may have legal consequences.

Here we look at how JavaScript works in Adobe and PDFs, but most importantly:

   How JavaScript works in PDFs


Adobe put significant effort into improving JavaScript so that it could run relatively seamlessly inside Adobe Acrobat. Users can add JavaScript to a document via the JavaScript Editor or use Triggers and Actions to execute code when a user does something specific.  For example, you could open a file when a user opens a specific page.

   What is JavaScript in PDFs used for?


JavaScript can run inside PDF documents and can be used for many things.  Here are some of the most popular reasons to use it:

  • To change PDF content after certain events are triggered.  For example, hiding a page when a user goes to print, and pre-filling information such as the current date and time when a document is opened.
  • To prevent the reader from taking specific actions, such as changing form fields.
  • To set field values and submit form data on the press of a button.
  • To add security functionality such as expiring a PDF after a certain date, or prevent printing of PDFs.
  • To create a stamp with a prompt to add a number.

For this to work, you need a JavaScript PDF viewer such as Adobe Reader, Foxit, or most browser viewers.  We’ll give you an example below.

How to use JavaScript to expire a PDF

Document expiry is a key feature for many businesses as it allows them to remove outdated information from circulation and ensure sensitive data only remains accessible for as long as necessary.  As we’ll cover later, JavaScript is not suitable for the second use case, but it may be valid for the former, provided you can accept its security risks.

Here’s one way of using JavaScript to expire a PDF:

  1. Open your PDF in Acrobat Pro and press the JavaScript icon on the right-hand side.
  2. Click “All JavaScripts” in the toolbar, type the following code and press “OK”:
  3. Click the “Document JavaScripts” button in the toolbar, type “expire” in the script name field, and press “Add…”.
  4. Type this code into the JavaScript editor and press “OK”.
  5. Users will get this warning when the PDF expires and it will close.
Does JavaScript expiry work?

No.  There is one major security flaw – users can disable JavaScript in their PDF reader and the expiry date will not be enforced.  It is therefore completely useless.

   PDF and JavaScript security issues


There is a reason that Adobe has settings such as “Protected Mode” for its JavaScript functionality – JS represents a major security threat.  Historically and consistently, obfuscated JavaScript in PDF files has been used to deliver malware, steal credentials, and perform other malicious activities.

There are several ways to perform JavaScript-based attacks:

  1. Tools such as JS2PDFInjection will hide a JS file inside a PDF for you, which can be used to perform cross-site scripting (XSS) attacks.
  2. Attackers can use JavaScript to send any passwords entered in PDF forms or dialogs to themselves or embed a malicious link.
  3. Flaws or security holes in PDF readers allow for direct remote code execution.

Enabling JS in applications is therefore a major security concern.

  Does Acrobat’s protected mode fix PDF’s JavaScript security issues?


Acrobat Reader’s Protected Mode opens PDFs with JavaScript enabled in a sandbox, limiting what malicious files can do and access.

However, there are still some issues with this approach:

  1. Protected Mode is Windows only and Adobe Acrobat only.  Most users are opening PDFs in their web browser, which isn’t always sandboxed.  Protected mode also breaks when used with several popular anti-virus solutions.
  2. It’s essential to understand that Protected Mode doesn’t protect against all attack types. For example, JavaScript designed to extract data users have entered in a form field will still work.  There is also the potential for sophisticated attackers to escape the Adobe sandbox by exploiting vulnerabilities.  CVE-2021-31199, for example, exploited the Microsoft cryptographic provider library to achieve this and perform remote code execution.
  3. Admins can set privileged folders and hosts for protected mode to ignore, so there is still the potential for attacks originating from a trusted location.  Indeed, poor configuration of Protected Mode can cause issues, with admins able to define policies that determine when certain actions are allowed.

So, Protected Mode does represent a significant upgrade in security versus opening a JavaScript-enabled PDF with no sandbox, which you should never do.

Given the issues highlighted above, however, you are better off disabling JavaScript across users’ PDF reader applications.  Adobe have previously warned that JS in PDFs is a security risk, and many security firms have urged them to disable it by default.

  How to disable JavaScript in PDF viewers

Most JavaScript PDF viewers, including browser viewers, allow you to disable JavaScript.  We’ll briefly show how to disable JavaScript in a few popular viewers.

  How to disable JavaScript in Adobe PDF Reader

  1. Open your PDF and click Edit > Preferences in the toolbar.
  2. Click on “JavaScript” in the Preferences category list and untick “Enable Acrobat JavaScript. Press “OK”.

  How to disable JavaScript in Firefox PDF viewer

Neither Google Chrome nor the Chromium-based Microsoft Edge let you disable JavaScript specifically in the PDF viewer.  You can only turn off JavaScript as a whole or for specific websites.  Firefox, however, has a useful settings toggle for precisely this purpose:

  1. Open Firefox and enter “about:config” in your address bar.
  2. Search for “pdfjs.enableScripting” and double-click it to set it to false.
  3. When you open a PDF in Firefox, JavaScript will be disabled.

  How to Disable JavaScript in Foxit PDF viewer

The process to disable JavaScript in Foxit is more or less the same as in Adobe Acrobat:

  1. Open Foxit and press File > Preferences.
  2. Go to the “JavaScript” section and untick “Enable JavaScript Actions”.

  JavaScript security controls: do they work?


Some of the common use cases for JavaScript in PDFs make sense if you ignore the security issues.  Though PDF JavaScript APIs will try to convince you otherwise, using JavaScript to enforce document restrictions or controls is not one of those use cases.

The important thing to realize is that JavaScript in desktop PDFs is optional.  Users can turn it on or off at any point, along with any code you use to disable the print and download buttons or enforce expiry dates.  They can also remove the JavaScript from the PDF with the same tools you used to add it.

Even if you deliver PDFs via the browser:

  1. JavaScript in PDFs can’t stop screenshots.
  2. Users can modify and bypass JavaScript controls, as JavaScript is executed partly on their machine.  In many cases, they can also recover the full unprotected PDF via the network tab of Firefox’s developer console.
  3. Users can edit JS in the browser, install plugins, run scripts, or go to a website such as Docsend2PDF to remove the security controls.
  4. If you allow printing, users can print to fresh PDF files that don’t have JavaScript enforced.

The above is true even if the documents are in html format instead.  JS cannot effectively control use of the browser environment as we explain in How secure are data rooms and How secure are Google Docs.

In other words, JavaScript document controls are useless.  Businesses that use them open the door to genuine security threats in exchange for very little.

  How to remove JavaScript from a PDF


Any user with a suitable PDF editor can remove JavaScript from PDF files.  There are several ways to do it, but the fastest way in Acrobat is by saving it as an optimized PDF:

  1. Open your JavaScript-enabled PDF and press “File > Save as Other > Optimized PDF…”.
  2. Click on “Discard Objects” in the sidebar and then “Discard all JavaScript actions” in the main pane.
  3. Press “OK” followed by “Save” to overwrite your original PDF with one without JavaScript.

  How to protect PDFs securely without JavaScript


Thankfully you do not need to use JavaScript to enforce PDF restrictions or controls.  Though the built-in restrictions of PDF editors such as Adobe Acrobat are useless, other third-party solutions exist.  We have previously assessed the best ways to protect PDFs from sharing and misuse and you will see that PDF DRM comes out on top.

Locklizard Safeguard enables you to prevent PDF editing, copy-pasting, printing, saving, and sharing, as well as expire documents and add dynamic watermarks.  It provides better security than JavaScript does and more, without compromising users’ systems.

Here’s how it works:

  1. Right-click on the PDF and choose “Make secure PDF”.
  2. Select the copy protection controls you want to apply.  By default, editing, copying, and printing are disabled.  We recommend adding a watermark to your digital and printed documents.  This deters users from taking a picture with their phone or scanning a copy and running it through an OCR recognition tool.
  3. Press the Publish button to protect the PDF. Your secured PDF will output it as a .pdc file in the same folder as the original PDF.
  4. Add a user account and send them their license via the Safeguard admin portal.  See how to add a new user and grant them document access.
  5. The Safeguard Viewer enforces your DRM restrictions and nobody will be able to edit your protected PDF files.

  How to remove JavaScript from a PDF with Safeguard

By default, Safeguard will automatically remove all JavaScript from the PDFs you protect when you hit “Publish”.

You can double-check that this option is enabled by opening the customization tab, ticking “Optimize PDF” if it isn’t selected already, and pressing the settings cog next to it.

In the “Additional” section, “Remove Javascript” should be ticked.  See how to remove PDF metadata, JavaScript, and hidden information for details on the other options.

  Closing words


Though JavaScript in PDFs has its uses, in most cases:

  1. It is useless because you have to rely on users having JS enabled in their viewing app.
  2. Users can modify JS in the browser, block or stop code execution.
  3. It represents an unnecessary security risk.

Despite efforts by Adobe to limit the impact of malicious JavaScript, it remains a vector that sophisticated attackers can exploit to compromize data, users, and their devices.  Given the easy workarounds, the security risks and legal implications, you should think carefully before adding JavaScript to PDF files.

Locklizard PDF DRM does not use JavaScript for protection, provides stronger security, modular controls, and a better user experience.  Try it for yourself by taking a 15-day free trial.

   FAQs

Do PDFs contain JavaScript?

PDFs can contain JavaScript, though many don’t.  It all depends on whether somebody has added it to the document.

How do I activate JavaScript in a PDF?

If JavaScript is enabled in your PDF viewer (Edit > Preferences > JavaScript), it should activate automatically when its conditions are met.  JavaScript can be triggered by special events such as pressing a start button or next button, filling in a form field, opening the PDF, etc.

Is any trustworthy solution available to remove JavaScript from PDF in batch?

There are several applications available to remove JavaScript from PDFs, but we cannot guarantee their safety.  Any solution however that can optimize a PDF can be used to batch remove JS code.

How can I tell if a PDF has JavaScript?

Open it in Adobe Acrobat and press the JavaScript icon followed by “All JavaScript” and check if there is any JavaScript code.

How do I disable JavaScript in Chrome?

In the address bar, enter chrome://settings/content.  Find JavaScript on the page and select ‘Do not allow any site to run JavaScript’.  This will block JS from executing.  Click Done and restart Chrome.

How do I disable JavaScript in Edge?
  1. Open DevTools, by right-clicking on the webpage, and then select Inspect.
  2. Press Ctrl+Shift+P (Windows, Linux) or Command+Shift+P (macOS) to open the Command Menu.
  3. Type javascript, select ‘Disable JavaScript [Debugger]’, and then press Enter.
Is enabling JavaScript a security risk in the web browser?

Yes.  Enabling JS can make your system more vulnerable to attacks such as Cross-Site Scripting (XSS), malicious code execution, and man-in-the-middle attacks.  JS can also be used to exploit vulnerabilities in the source code of web applications.  Sensitive data could therefore be leaked to hackers without your knowledge, such as form data, login credentials, and local files.

Do secure data rooms use JS to enforce controls?

Yes.  It is the main reason why secure data rooms are not as secure as they lead you to believe.  All browser-based online document sharing and collaboration systems use JS for document protection.  As we show in How secure is Google Docs, that security is simple to remove.

Can you encrypt JavaScript?

Yes, but it has to be decrypted in the viewing application such as the browser, so it can execute.  You should therefore obfuscate your JS code to help prevent it from being easily decoded.

Do you need JavaScript for Adobe forms?

Yes, JS is used for form interactivity and submission.  However, there are better ways to submit a PDF form securely.

Is there a more secure alternative to JavaScript?

Yes, there are many free and open-source programming languages that provide better security than JavaScript.  This blog on JS alternatives covers 10 of them.

Try Safeguard today

Start protecting your PDF files and documents from sharing & piracy

  ABOUT US

About Us

Our DRM Technology

Customers

Locklizard vs Competitors

Company Brochure

  CONTACT


Business Hours:
Mon – Fri: 8AM to 5PM EST
Tel (US): +1 844 569 7907
Tel (UK): +44 (0)7380 274238

© Copyright 2004-2024 Locklizard Limited. All rights reserved.Privacy Policy|GDPR Policy|Cookie Policy|SITE MAP