Could somebody please help me understand whether importing PDF files into my Joplin profile / notes, and viewing them with the built-in PDF viewer (enabled in settings) could actually increase in any possible way the risk that malicious code is executed inside Joplin (by the viewer) ? In other words, could there be any "active" instructions inside a PDF file, which (just for example) an Acrobat Reader or a virus scanner might detect and avoid, but which the built-in viewer may simply execute ?
And if so, could this only effect the local Joplin environment, or could it spread beyond the sandbox ?
I hope my questions makes sense, as I know little to nothing about PDFs other than that I can print them when needed
We didn't implement the PDF Viewer, it's from Chromium which is maintained by Google so we assume it's relatively secure. We're also not aware of any security vulnerability related to PDF files
Thank you for your response. I trust your judgement !!
So let me just add two remarks:
When I read A comparison between the old and new pdf viewer from last August, the first line seemed to say that "The old pdf viewer that joplin uses is being replaced by a new custom built one". That is why I thought it was not coming from Google or likes.
The second statement is also something I had not expected. Adobe seems to think that there are vulnerabilities, please see here : https://www.adobe.com/acrobat/resources/can-pdfs-contain-viruses.html
When you scroll down a little, you'll see that their recomm is .... to use a trusted reader (they mean Adobe reader, but the statement remains).
The new reader has been disabled I believe. But even if it wasn't, its based on a library by Mozilla so should be somewhat safe.
PDF is a full development language and a really weird one with lots of history. I remember reading a series long time ago on hacking documents. PDF was featured more than once.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.