12Nis
Website with embedded PDFs and JavaScript for Acrobat
Context
On my website, users can upload their PDF files, and then some, other users can view the uploaded PDF files.
I was wondering if this could come with security issues.
The uploaded PDF are simply displayed on the website thanks to: <embed ... type="application/pdf"></embed>
.
Question
Doing some reasearch, I stumbled upon this gist: https://gist.github.com/andripwn/671ef1aa6c535d9168c900524bfb84e1 which suggests that what I do could lead to XSS attacks. I tried the code and it works: an alert is displayed on my website.
But is it really a security risk though? I'm not sure. It seems that the JS code is not normal JS, it's JS for Acrobat (https://opensource.adobe.com/dc-acrobat-sdk-docs/acrobatsdk/pdfs/acrobatsdk_jsapiref.pdf).
- Is it really a XSS? How could this be exploited?
- Are there other risks that I'm not aware of?