Jim McCloskey points out to me (citing the Linux Weekly News for March 30, 2005) that if you open the Preferences in a recent edition of Adobe Reader (versions 6 or 7), go to the Javascript submenu, and disable Javascript, a message will pop up telling you that the document you are looking at contains Javascript and may not display accurately if you disable it. Would you like to keep Javascript enabled? The highlighted button says Yes, you would. But when I tried this (with Acrobat version 6.0.3, Professional Edition, under Mac OS-X) it was on a document of my own, produced with LaTeX. There was absolutely no chance of there being Javascript in the document. The program was telling a flat lie (assuming this is metaphysically possible for a piece of software). Unless it's just an accidental bug. But there is independent reason to be suspicious about Javascript in PDFs. It's not pretty. Let me explain.
A company called Remote Approach is apparently in business with a service that exploits Javascript attached to PDF documents in order to provide publishers with information about the "reach and use" of the materials they make available. (Story here.) Apparently, when you use Adobe software to view a PDF file that has been uploaded and tagged by Remote Approach (and you won't know whether a given document has been tagged, since the publisher does it), the publisher will learn that you viewed it and will know your IP address and which viewer you use. This trick is accomplished by adding to the document some Javascript code that secretly sends information out via port 80.
I'm not really a privacy freak, but this seems a little creepy even to me. Be warned. But also be encouraged: you can disable Javascript despite the untrue claims in the warning message when you do so.
I must say, didn't see this possibility coming at all. Sometimes I frighten myself with my inability to see into the future of technology.
Posted by Geoffrey K. Pullum at April 8, 2005 07:44 PM