Javascript Lurking in Adobe Reader

I’ve been using Adobe Reader 7.0 for Linux for a while now. When I first installed it, I went through the Preferences settings to see what new and interesting features were available. One thing that caught my eye was a setting to enable/disable Acrobat Javascript. Since I couldn’t think of a reason why I would want it enabled, I made sure I disabled it. One of the annoyances of my action is that every time I view a document, I get this request window:

Request Window Grab: Do you want to enable JavaScripts from now on?

No matter how many times I run the program and click “No” the program asks me again. Knowing that I don’t need code to run just to view a PDF, I keep on clicking “No.” It turns out that my instincts were right.

DocBug writes that this represents a privacy hole and PDF files can be crafted to make an Internet connection to their mother ship whenever the file is opened. This appears to be the business model for Remote Approach—they provide a service where companies who publish PDF documents can determine who is reading a document and how the document travels through the Internet. The Remote Approach website includes a white paper titled Remote Approach and User Privacy. The interesting thing is that they seem to collect a fair amount of information. They claim that none of it is personally identifiable; however, as more bits of data accumulate in databases, the IP address of the computer opening the PDF will likely become personally identifiable as Jason Hurley points out. For now, I’ll keep clicking “no” and start reconsidering the other (open source) PDF readers for Linux.

Thanks to Ed Felten for the DocBug link.

Leave a Reply