Secure the custom toolbar .js file

Forum for the PDF-XChange Editor - Free and Licensed Versions

Moderators: TrackerSupp-Daniel, Tracker Support, Paul - Tracker Supp, Vasyl-Tracker Dev Team, Chris - Tracker Supp, Sean - Tracker, Ivan - Tracker Software, Tracker Supp-Stefan

Post Reply
ng80092a
User
Posts: 21
Joined: Thu May 13, 2021 11:50 am

Secure the custom toolbar .js file

Post by ng80092a »

Dear,

I have a security question:

Is it possible to define a different location to the .js file other than %AppData%Roaming\Tracker Software\PDFXEditor\JavaScript?

Or at least encrypt the file?

A read only mode is easily disabled by the user and can be maliciously edited.

Kind regards,
User avatar
TrackerSupp-Daniel
Site Admin
Posts: 8436
Joined: Wed Jan 03, 2018 6:52 pm

Re: Secure the custom toolbar .js file

Post by TrackerSupp-Daniel »

Hi, ng80092a

No we do not offer anything to do this as this is the Appdata folder in question, which is designed for that specific user profile to have access to. I could understand worrying about the JavaScript folder under program files, but the appdata folder you specified should only be accessible to users able to access that user account.

I can say that we only need read access to that folder, so if you wish to look for alternative avenues of locking that specific folder location down, you absolutely can.

Kind regards,
Dan McIntyre - Support Technician
Tracker Software Products (Canada) LTD

+++++++++++++++++++++++++++++++++++
Our Web site domain and email address has changed as of 26/10/2023.
https://www.pdf-xchange.com
Support@pdf-xchange.com
User avatar
TrackerSupp-Daniel
Site Admin
Posts: 8436
Joined: Wed Jan 03, 2018 6:52 pm

Re: Secure the custom toolbar .js file

Post by TrackerSupp-Daniel »

Hi, ng80092a

As a followup, If you are worried about "creative" users, it is by default, possible for them to make use of our JavaScript console at any time simply by pressing Ctrl+J.
Should that be a point of concern for you, you may want to take a look at our System admin manual for ways to disable or prevent JavaScript access to users in the first place, for example, via AD policies:
https://help.pdf-xchange.com/sysad ... cript.html

Kind regards,
Dan McIntyre - Support Technician
Tracker Software Products (Canada) LTD

+++++++++++++++++++++++++++++++++++
Our Web site domain and email address has changed as of 26/10/2023.
https://www.pdf-xchange.com
Support@pdf-xchange.com
ng80092a
User
Posts: 21
Joined: Thu May 13, 2021 11:50 am

Re: Secure the custom toolbar .js file

Post by ng80092a »

TrackerSupp-Daniel wrote: Thu May 13, 2021 10:06 pm Hi, ng80092a

No we do not offer anything to do this as this is the Appdata folder in question, which is designed for that specific user profile to have access to. I could understand worrying about the JavaScript folder under program files, but the appdata folder you specified should only be accessible to users able to access that user account.

I can say that we only need read access to that folder, so if you wish to look for alternative avenues of locking that specific folder location down, you absolutely can.

Kind regards,

File security is basic, either by encryption or permissions management. This could be easily managed by changing the trusted path of that file to a network drive where the users couldn't write, and even better inside a trap door folder, with an unlisted path.

So what do you mean by alternative avenues? It's tracker software that creates this problem by only allowing reading in that path, giving no security opportunity whatsoever.
User avatar
TrackerSupp-Daniel
Site Admin
Posts: 8436
Joined: Wed Jan 03, 2018 6:52 pm

Re: Secure the custom toolbar .js file

Post by TrackerSupp-Daniel »

Hi, ng80092a

As I mentioned before, the appdata folder is explicitly for JS that is stored for that specific User, it is not the only folder which can be used, you do also have the option to use the install directory, which is by default under program files, could be installed to any alternative location on your PC. in this case, the path to the JS folder would be:
<install dir>\Tracker Software\PDF Editor\JavaScripts

As for alternative solutions, I was meaning to say that while there is nothing we can offer for this, you could very likely use windows functions, or even options such as GPO, to prevent users from making changes to these folders.

Kind regards,
Dan McIntyre - Support Technician
Tracker Software Products (Canada) LTD

+++++++++++++++++++++++++++++++++++
Our Web site domain and email address has changed as of 26/10/2023.
https://www.pdf-xchange.com
Support@pdf-xchange.com
ng80092a
User
Posts: 21
Joined: Thu May 13, 2021 11:50 am

Re: Secure the custom toolbar .js file

Post by ng80092a »

But even the program files folder is locked on c:

Would it be possible to add different letter to the trusted path (for example D:, E:.. ), and load the .js from there?
User avatar
TrackerSupp-Daniel
Site Admin
Posts: 8436
Joined: Wed Jan 03, 2018 6:52 pm

Re: Secure the custom toolbar .js file

Post by TrackerSupp-Daniel »

Hi, ng80092a

I think my explanation may have been lacking here, my apologies.

What I meant to convey is not that you need to use the C:\program files\ location but instead that, that is where the application would have been installed by default.

If you wish to change the default install location, and thus change the path to the device wide JavaScript's folder, you can certainly do so, during installation:
image_2021_05_14T16_20_07_755Z.png
Once you have installed to your desired drive and folder location, the Javascripts folder will be present under the new:
<install dir>\Tracker Software\PDF Editor\JavaScripts

Kind regards,
Dan McIntyre - Support Technician
Tracker Software Products (Canada) LTD

+++++++++++++++++++++++++++++++++++
Our Web site domain and email address has changed as of 26/10/2023.
https://www.pdf-xchange.com
Support@pdf-xchange.com
Post Reply