Open Bug 1709330 Opened 4 years ago Updated 3 years ago

audit PDF.js for RFP and dFPI

Categories

(Firefox :: PDF Viewer, task, P5)

Product:
Firefox
Component:
PDF Viewer
Version:
Firefox 88
Type:
task

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: thorin, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [pdfjs-integration])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Bug 1674942 enabled pdf scripting

Perhaps this can be split into two issues.

I do not have a definite list, but PDFs have been given some RFP exemptions [1] in the past as they had no means to exfil any data. There may also be some exemptions or holes in partitioning/isolation - bug 1506693 for example

Downstream: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40424

[1] Bug 1537955 does not spoof devicePixelRatio

Type: enhancement → task
Component: Untriaged → PDF Viewer
Flags: needinfo?(tom)

Hi Simon,
Can you provide any steps for QA, in order to reproduce this issue, or is this a dev task only?

Thanks!
Jerónimo.

Flags: needinfo?(simon.mainey)

Hi Jerónimo, just a ticket logged for further investigation as a reminder: I have tom ni;'d so no QA at this stage, I guess

Flags: needinfo?(simon.mainey)
Priority: -- → P5

Clearing needinfo, Tom mentioned we should mark this as blocking the uplift tor fingerprinting bug to avoid losing it.

Flags: needinfo?(tom)
Whiteboard: [pdfjs-integration]
QA Whiteboard: qa-not-actionable
You need to log in before you can comment on or make changes to this bug.