PDF.js converts links in PDF documents to links with the displayed HTML page. The link href isn't sanitized, so links such as javascript: (and similar variants) are XSS vectors for any website which allows PDF upload (for users of this extension). Other browser PDF plugins restrict links to http or https, which would be something to conisder doing in PDF.js. (chrome's PDF viewer forces http:, and from memory Acrobat plugin forbids the javascript: scheme in later versions) The risk is mitigated by the following factors: - a site would need to allow upload of arbitrary PDF, although this is common - The XSS vector requires user interaction (user must click the link)

Fix under review at https://github.com/mozilla/pdf.js/pull/1326

pure guess that we're trying to land this in Firefox 14? It's not in 13.

This should be resolved in our latest patch.

The patch from above (https://github.com/mozilla/pdf.js/pull/1326/files) in part of the pdf.js master; and now is part of the attachment #607846 [details] [diff] [review] of the block bug #714712. Paul, shall we do something special (unblock, close?) to this issue before 714712 landing?

The fix looks good to me, and I have tested the in plugin version as well. However I am not yet familiar with the process for making it public. For now, I will just mark it as resolved, and I'll find out what the process is for making it public.

So the verdict was leave it secured for the moment, at least long enough that users will have had their extension updated - the security team will unhide it later if/when appropriate