Opened 6 years ago

Last modified 11 months ago

#7501 assigned task

Audit PDF.js

Reported by: mikeperry Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, ff60-esr
Cc: gk, isis, intrigeri Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


While I'm reviewing and testing Firefox 17 for ESR, I should see if I can get PDF.js working well enough to include it.

I'll also need to review its source code for obvious signs of proxy bypass and potential third party state storage, though.

Child Tickets

Change History (25)

comment:1 Changed 6 years ago by mikeperry

Bleh. It appears our font limiting patch interferes with this. The good news is that it looks like this thing represents fonts as WebFonts, so if we implement #5798 (and exempt WebFonts from our counts), it should work just fine.

comment:2 Changed 6 years ago by gk

Cc: g.koppen@… added

comment:3 Changed 6 years ago by mikeperry

Mozilla has started shipping this code as part of Firefox (but off by default) in Firefox 18. I am not sure what this means for security updates. I presume the entry in will continue to get them, at least until the Firefox version is on by default?

comment:4 in reply to:  3 Changed 6 years ago by cypherpunks

Replying to mikeperry:

Mozilla has started shipping this code as part of Firefox (but off by default) in Firefox 18.

Pdf.js is already included in FF 17.0.2 ESR

comment:5 Changed 6 years ago by mikeperry

Hrmm. Well, my concerns about security updates apply doubly to the PDF.js in FF17-ESR. They may not consider those in need of backport since it is off by default and has no UI to enable it. Unless we hear otherwise, it is probably wisest to stick with the AMO version.

comment:6 Changed 6 years ago by mikeperry

Cc: isis added
Keywords: tbb-usability added
Parent ID: #7248

Ok, I spoke with a couple Mozilla folks, and here's the status:

  1. They do not plan to backport security updates for PDF.js to FF17-ESR. We have to use the addon.
  2. They plan on providing updates to the addon until FF24-ESR.
  3. PDF.js does try to obey Private Browsing Mode. It tries to avoid touching the disk if PBM is on.
  4. They do not evaluate PDF Javascript (
  5. It *is* possible to evaluate PDFs in third party iframes and object tags.

Point 5 means that we have to test the PDF caching behavior for PDF.js to ensure it is similarly isolated per URL bar domain like everything else. If not, we may not be able to include it in TBB-stable until we find a way to prevent 3rd party tracking via PDFs, or simply find a way to disable 3rd party PDF loading.

comment:7 Changed 5 years ago by gk

Cc: gk added; g.koppen@… removed

I'd like to look at closer as well as this is pretty scary.

comment:8 Changed 5 years ago by gk

Keywords: ff31-esr added
Owner: changed from mikeperry to gk
Status: newassigned
Summary: Include PDF.js extension in TBBAudit PDF.js

Version 1.0.x landed some days ago on mozilla-central and will therefore be included in ESR 31. Time to do a thorough audit, I guess... FWIW: they still don't evaluate PDF JavaScript and currently don't plan to do so.

comment:9 Changed 5 years ago by intrigeri

Cc: intrigeri added

comment:10 Changed 5 years ago by erinn

Keywords: needs-triage added

comment:11 Changed 5 years ago by erinn

Component: Tor bundles/installationTor Browser
Keywords: needs-triage removed

comment:12 Changed 5 years ago by mikeperry

Keywords: TorBrowserTeam201409 added

comment:13 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201410 added; TorBrowserTeam201409 removed

comment:14 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201410 removed

comment:15 Changed 4 years ago by gk (although this is scrictly speaking no pdf.js bug)

comment:16 Changed 3 years ago by Sebastian

Severity: Normal

Has this been resolved?

comment:17 in reply to:  16 Changed 3 years ago by gk

Replying to Sebastian:

Has this been resolved?

Alas, not yet.

comment:18 Changed 2 years ago by cypherpunks

Keywords: tbb-linkability ff52-esr added; ff31-esr removed

Review with every ESR.

comment:19 Changed 22 months ago by cypherpunks

Is this even worth it now with the move to replace pdf.js with the one from Chromium (PDFium which is written in C++ = memory unsafe) for ff59?

comment:20 Changed 19 months ago by cypherpunks

Keywords: tbb-security added; tbb-usability tbb-linkability ff52-esr removed

Indeed, Mozilla realized that it needed a full-featured PDF processor, especially for ISO 32000-2:2017, and no PDF.js could cope with it. So now we have Adobe PDF Plugin integrated into the chrome process for

comment:21 Changed 18 months ago by cypherpunks

According to a comment by a Platform Engineer at Mozilla, PDFium may land in 58 but he says "don't quote me on that", so there's a high chance that in a worst case scenario it would be already available for FF59-esr.

comment:22 Changed 17 months ago by cypherpunks

According to the top comment in this thread on HN

PDFium used by Chrome internally uses Foxit PDF library to read and extract information from the PDF.

Google basically bought Foxit's library and open sourced it - but looks like the open source version isn't keeping up with the upstream commercial version of Foxit because the latest Foxit reader doesn't seem to have this bug.

If this is true, and the commercial version is years ahead of the open source version in terms of security fixes, then it's a serious security issue. One wonders why they didn't go for Evince which was always open source and cross-platform. Anyway, one should keep that in mind and if possible lobby Mozilla to look into this.

comment:23 Changed 16 months ago by cypherpunks

According to Dave Townsend, there are no "plans to integrate PDFium at this point", so unless there's a big surprise FF59 will still be stuck with pdfjs :(

comment:24 Changed 14 months ago by cypherpunks

Keywords: ff60-esr added

Seems more and more like PDFium integration with Firefox is dead, so putting review with every ESR again.

comment:25 Changed 11 months ago by cypherpunks

It's official folks, Project Mortar *IS* DEAD

The Mortar experiment has concluded. Mozilla does not consider the PDF use case justifies the burden of implementing and maintaining PDFium and a Pepper API implementation in Gecko.

So the ff60-esr keyword was justified after all.

Note: See TracTickets for help on using tickets.