What javascript can escape my browser, (edit: or an HTML page) for example?

lukan · 2024-02-01T12:43:47

XMLHttpRequest to send anything the site knows anywhere.

And row hammer, to breach the sandbox.

https://en.wikipedia.org/wiki/Row_hammer

berkes · 2024-02-01T14:39:09

Row hammer is an exploit. It wasn't "by design".

While that may technically be "escaping the sandbox" it's a different case, because it was never meant to work, will be fixed and often is fixed.

afiori · 2024-02-01T15:41:57

Almost every "escaping the sandbox" is due to some kind of bug.

Sure if the PDF standard exposed a "globalThis.runBlobAsNativeExecutable" function it would be worse, but it is still escaping the sandbox.

grotorea · 2024-02-01T14:09:44

Are the non-browser PDF readers more vulnerable? Do most even execute the Javascript?

kevincox · 2024-02-01T15:27:26

I would expect so simply because browsers are fairly hardened pieces of software. Adobe Acrobat is decently hardened but it seems to be far behind browsers.

It is worth noting that Chromium and later Firefox both added PDF viewers that live inside the browser sandbox. They are essentially web-apps that render the PDF. When I worked at Google they strongly recommended using Chrome for opening PDF files because they felt much more comfortable about its security and sandboxing than other PDF readers.

On another perspective is that you are likely browsing the internet anyways. In fact you likely got the PDF by visiting a website. So you have already exposed a huge attack surface (your browser) to a possible hostile adversary. It is better to expose them to the same attack surface again (plus whatever security the PDF reader itself provides) than to give them a fresh new attack surface.