PDF JavaScript Injection

What is PDF JavaScript?

PDF files can contain embedded JavaScript that executes when the document is opened in a viewer that supports the Adobe JavaScript API (primarily Adobe Acrobat Reader). This JavaScript runs in a sandboxed environment but still provides access to powerful APIs including URL launching, form manipulation, and data submission.

How PDF JavaScript Injection Works

The PDF specification supports an /OpenAction dictionary entry in the document catalog. When set to a JavaScript action, the viewer will execute the script as soon as the document is opened. This is the primary trigger mechanism used by this plugin.

Key PDF structures involved:

  • /Catalog — The root object of the PDF document tree
  • /OpenAction — Specifies an action to perform when the document is opened
  • /S /JavaScript — Declares the action type as JavaScript execution
  • /JS — Contains the JavaScript code to execute

Attack Scenarios

Alert Box (Proof of Concept)

A simple app.alert() call proves that JavaScript execution is possible. This is typically the first step in demonstrating the vulnerability.

URL Launch (Data Exfiltration)

Using app.launchURL(), the PDF can force the viewer to open a URL in the default browser. This can be used for:

  • Phishing (redirect to a malicious login page)
  • Tracking (confirm document was opened)
  • Data exfiltration (send document metadata or form data to an external server)

Redirect

Same mechanism as URL launch — the viewer opens the attacker-controlled URL when the document is opened.

Custom JavaScript

Advanced payloads using the full Acrobat JavaScript API, including:

  • app.alert() — Display dialog boxes
  • app.launchURL() — Open URLs
  • this.submitForm() — Submit form data to an external URL
  • this.getField() — Read form field values
  • util.printf() — Format strings (useful for constructing payloads)

Defenses This Bypasses

  • File type allowlisting — PDF is a universally accepted format
  • MIME type checks — application/pdf is legitimate
  • Basic content scanning — JavaScript is embedded in the PDF structure, not visible as plain text
  • Email attachment filters — PDFs are commonly allowed through

Defenses That Block This

  • Disabling JavaScript in PDF viewers (Acrobat: Edit > Preferences > JavaScript)
  • Using PDF viewers without JavaScript support (most non-Adobe viewers)
  • Content Disarm and Reconstruction (CDR) — strips active content from PDFs
  • Sandboxed PDF viewing (browser-based viewers typically don't execute JS)
  • Security policies that block /OpenAction and /JavaScript in PDF objects

References