Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Does Firefox PDF Viewer Have Some Kind of Security Sandbox?

more options

I went searching on Google the other day for free e-books, but I stupidly forgot to turn on NoScript. I clicked on what was, in retrospect, a very questionable Google link for a PDF file.

Just to be safe, I did a full-system scan and boot-time scan with Avast, as well as a full-system scan with Comodo, but nothing malicious turned up. However, I know that these anti-malware programs are not foolproof, and malware is becoming ever more able to evade them. That said, I have not found any specific evidence that would suggest my computer is infected with malware.

So my question is, does Firefox or Firefox PDF Viewer sandbox PDF files in anyway, so that a PDF opened in the Firefox browser could be contained and/or prevented from executing any malicious scripts? I tried to look this up, but I cannot quite understand many things I have read because they are written in very technical language that I am not familiar with.

Thank you very much for any help you can provide; it is greatly appreciated!

I went searching on Google the other day for free e-books, but I stupidly forgot to turn on NoScript. I clicked on what was, in retrospect, a very questionable Google link for a PDF file. Just to be safe, I did a full-system scan and boot-time scan with Avast, as well as a full-system scan with Comodo, but nothing malicious turned up. However, I know that these anti-malware programs are not foolproof, and malware is becoming ever more able to evade them. That said, I have not found any specific evidence that would suggest my computer is infected with malware. So my question is, does Firefox or Firefox PDF Viewer sandbox PDF files in anyway, so that a PDF opened in the Firefox browser could be contained and/or prevented from executing any malicious scripts? I tried to look this up, but I cannot quite understand many things I have read because they are written in very technical language that I am not familiar with. Thank you very much for any help you can provide; it is greatly appreciated!

All Replies (2)

more options

Hi FlyerFlox, I would not depend on a browser to provide advanced functions regarding PDFs.

Instead, I would download the file, scan it with anti-virus, then open it with Adobe Reader.

Before opening it in Reader, go to: Preferences >> JavaScript >> Enable Acrobat JavaScript = Off.

When done with the PDF file, turn JavaScript back on.

more options

Hi FlyerFlox, Firefox has some amount of sandboxing, meaning, it can run web content in a less privileged context that provides less access to the system. However, this appears to require that your Firefox is running in multiprocess mode (also known as e10s), which can be blocked by some legacy add-ons. Therefore, I don't know whether your Firefox was sandboxing content at the time you opened the PDF.

The code used to convert PDFs to HTML -- generally known as the "pdf.js" library -- has suffered from one or more disclosed and patched security flaws. Likely, since code is made by humans, other vulnerabilities will be discovered in the future.

That said, I don't know whether anyone has discovered exploits in the wild for pdf.js recently and whether you would have happened across one randomly (as opposed to getting an attachment via phishing attack message).

Regarding scripts, I don't know pdf.js can run the scripts that some PDF authors embed in their PDFs. It might still be a missing or incomplete feature. It's hard to search about that because pdf.js is written in JavaScript...