(Archived) Security concern? Foxit PDF Reader (inside Evernote), allows JS scripts to be executed?

[SFdude 1]

Using EV client version 3.1.0,1225
(yes, I know - it's ancient, but it works for me...),
with WIN-XP SP3 -32 bit.

When I read a PDF stored as an EV Note,
EV pops up an info window,
saying it's using the FOXIT PDF Reader inside EV,
to render the PDF.

That's OK...

But what if the PDF (stored and rendered inside EV),
contains an embeded, malicious JS script,
and the JS script gets executed
by the EV Foxit Reader?

For my local PDF files (in my HD),
I read PDF files with Sumatra PDF Reader  or  PDF-Xchange Reader,
both with JS script execution TURNED OFF...


Question:
========

Does EVs Foxit Reader have JS script execution TURNED OFF ?
(while rendering a PDF file INSIDE the EV client version 3.1.0,1225).

If it is not turned off,
that would be a HUGE security risk in PDF rendering inside Evernote!.

Is this a Security Risk?
Thanks for any opinions or facts.

[gazumped 11,652]

My two cents - it's difficult to evaluate your risk properly.  You're using an old version of Evernote on an old OS to read PDFs you've imported from unknown websites. 

 

Don't know whether current AV software updates still support XP or what version you have installed.  There's obviously a risk.  You could minimise it by saving PDFs as attachments so they don't display on your system,  and using 'open with' to choose your own PDF reader.

 

I'd also recommend backups.  Lots of regular backups..

[BurgersNFries 2,407]

Additionally, since 3.1 has not been supported for quite a long time, you may need to try to answer your question yourself, rather than hope for an official answer from EN.

[SFdude 1]

2 Gazumped: 

Thanks for the quick & clear answer!

 

Yes,  as you suggested -

saving PDFs as attachments

(so they don't auto-display on my system via the built-in Foxit PDF Reader),

is the solution.

 

Again, thank you Gazumped!

[gazumped 11,652]

Glad to help.