Embedded javascript in pdf files emailed to me SOLVED

[BrianG]

The AV product I currently use is blocking incoming emails that contain an attached pdf file in which there is embedded javascript. These regularly come from know sources who I then have to contact and ask that they print as a pdf image and resend or transmit by fax. Should I be this concerned about embedded javascript? This question applies to both Editor and Viewer because I use both (Viewer is preferred but I'm REALLY trying to adapt to Editor).

[TrackerSupp-Daniel]

Hi, BrianG

If you are only receiving documents from trusted sources, than there should be no reason to worry, but yes, it is possible for document JavaScript to be used maliciously. This is why our software will by default prompt you, asking you to allow it to run before actually proceeding. If the document comes from an unknown source, it is generally safer to not allow JS to run in the document until you have clarification on why the JS is in place.

Kind regards,

[BrianG]

Thanks Daniel. I un-quarantined one of these documents so I could see what the prompt to allow looked like but there wasn't a prompt. The document did open secured however. I guess that is what was detected as embedded javascript.

Is the prompt "in your face" enough to be taken as a warning and not as informational?

[TrackerSupp-Daniel]

Hi, BrianG

The prompt will only appear before the JS runs without you intentionally running it, So if the document does not have any which runs automatically "on document open" you often will not need to worry about getting the prompt. We also keep a list of "trusted" documents, so if you have opened this file in the past and allowed JS to run in it, you would not see the prompt.

But yes it is fairly "in your face" and will prevent any other action until you decide what to do with that document. You can double check that you have this enabled from the preferences (Ctrl+K) under JavaScript.

Kind regards,

[BrianG]

I see the "Enable Javascript Actions" option and the "Show warning..." option. The "Enable Javascript Actions" option is enabled and the "Show warning..." option is ticked but greyed out. Does that mean I'm allowing Javascript to run?

What combination of these settings will insure a prompt before allowing Javascript to run?

[TrackerSupp-Daniel]

Hi, BrianG

Disabling the "enable JavaScript actions" but leaving the "show warning when JavaScript action executes" would be the desired option here. That will prevent them from running automatically in all cases that you do not explicitly specify, "yes this is a trusted document" which can run JS actions.

The "JavaScript console" options are irrelevant in this case and can be left as it.

Kind regards,

[BrianG]

Thank you!

[TrackerSupp-Daniel]