JavaScript

Description

PDF documents may contain JavaScript.

Risks

The presence of JavaScript can be a security issue.

Assessment

The following table shows the relevant output of Apache Preflight (part of Apache PDFBox) for PDFs with JavaScript. Results obtained with Preflight 2.0.0:

Reference file	Description	Error Code(s)	Details
javascript.pdf	Contains embedded Javascript	6.2.5	Action is forbidden, The action JavaScript is forbidden

Notes

Error code is generic

The Preflight source code reveals that error code 6.2.5 is a generic error code for any action that is forbidden in PDF/A-1. The JavaScript action is just one of them, which means that it is not possible to identify embedded Javascript without taking into account the elaborate error description (i.e. the contents of the details field in the output) as well.

JavaScript not detected in all cases

Additional tests with more complex PDFs show that Apache Preflight (revision 1530740) is not always successful at detecting JavaScript. The following page shows an intercomparison of output from Adobe Acrobat Preflight and Apache Preflight for a selection of PDFs from the Adobe Acrobat Engineering website:

Analysis of Acrobat Engineering PDFs with Acrobat Preflight and Apache Preflight

The following PDFs contain JavaScript (confirmed by both Acrobat Preflight and a manual check with a hex editor), but this is not reported by Apache Preflight:

Recommendations

Pre-ingest

Formulate policy on how to deal with JavaScript in PDFs.
Use Apache Preflight to establish if files contain JavaScript (but note that Preflight's JavaScript detection is not perfect yet).

Existing collections

Use Apache Preflight to establish if files contain JavaScript (but note that Preflight's JavaScript detection is not perfect yet).

Example files

http://www.opf-labs.org/format-corpus/pdfCabinetOfHorrors/ - PDF Cabinet of Horrors on OPF Format Corpus