JavaScript

Skip to end of metadata
Go to start of metadata

Description

PDF documents may contain JavaScript.

Risks

The presence of JavaScript can be a security issue.

Assessment

The following table shows the relevant output of Apache Preflight (part of Apache PDFBox) for PDFs with JavaScript. Results obtained with Preflight 2.0.0:

Reference file Description Error Code(s) Details
javascript.pdf Contains embedded Javascript 6.2.5 Action is forbidden, The action JavaScript is forbidden

Notes

Error code is generic

The Preflight source code reveals that error code 6.2.5 is a generic error code for any action that is forbidden in PDF/A-1. The JavaScript action is just one of them, which means that it is not possible to identify embedded Javascript without taking into account the elaborate error description (i.e. the contents of the details field in the output) as well.

JavaScript not detected in all cases

Additional tests with more complex PDFs show that Apache Preflight (revision 1530740) is not always successful at detecting JavaScript. The following page shows an intercomparison of output from Adobe Acrobat Preflight and Apache Preflight for a selection of PDFs from the Adobe Acrobat Engineering website:

Analysis of Acrobat Engineering PDFs with Acrobat Preflight and Apache Preflight

The following PDFs contain JavaScript (confirmed by both Acrobat Preflight and a manual check with a hex editor), but this is not reported by Apache Preflight:

Recommendations

Pre-ingest

  • Formulate policy on how to deal with JavaScript in PDFs.
  • Use Apache Preflight to establish if files contain JavaScript (but note that Preflight's JavaScript detection is not perfect yet).

Existing collections

  • Use Apache Preflight to establish if files contain JavaScript (but note that Preflight's JavaScript detection is not perfect yet).

Example files

Labels:
formatissue formatissue Delete
pdf pdf Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.