Keeping with the theme of
data security Stefan Esser has just made a post at the php security blog highlighting a
XSS vulnerability with the adobe pdf plugin in firefox.
Although he presents instructions for how to protect yourself as a web user he does not offer any tips on how, as website developers, we can protect against our visitors data being compromised. The reason for this is simply that nothing, short of removing all pdf documents from a site, can be done to protect against this. The query string isn't transmitted to the server so we can't know that it is even present.
The only possibility is that there is some option available during the creation of a pdf document which will prevent javascript being run. I've no idea whether such a functionality exists though.
Until then though we'll have to wait for our users to update to version 8 of the plugin - a comment has been posted suggesting it is not a problem in the 8th version of the plugin.
