Table of Contents
PDFs Are Not as Safe as You Think
PDF files are ubiquitous in business, education, and personal use. Most people assume they are static, harmless documents. In reality, PDFs can contain executable JavaScript, hidden metadata revealing the author's identity, embedded tracking pixels, and even malicious payloads that exploit vulnerabilities in PDF readers. Understanding these risks is essential for anyone who regularly handles documents.
The PDF format was designed to be feature-rich, supporting everything from embedded multimedia to interactive forms and scripting. This flexibility is precisely what makes PDFs a potential security threat. Every additional feature represents an attack surface that malicious actors can exploit.
Hidden Metadata in PDFs
Every PDF carries metadata that can reveal sensitive information:
- Author name — Often your full name from your OS user profile
- Organization — Your company name from software settings
- Creation and modification dates — Reveals your work timeline
- Software used — Which application and version created the document
- Revision history — Some PDFs retain previous versions of content, including deleted text
- GPS data — If scanned from a phone, location data may be embedded
- Embedded fonts — Can reveal what software and operating system the author uses
- File paths — Some PDF generators embed the original file path, potentially exposing your username and directory structure
This metadata leakage has had real consequences. Legal firms have accidentally exposed confidential client information through PDF metadata. Government agencies have leaked classified details hidden in document properties. Journalists have been identified through metadata in documents they thought were anonymous.
Use our PDF Tools to re-process PDFs and strip unnecessary metadata before sharing sensitive documents.
Malicious PDF Attacks
JavaScript Execution
PDFs can contain JavaScript code that executes when opened. Attackers use this to exploit vulnerabilities in PDF readers, potentially installing malware or stealing data. A malicious PDF might silently download a payload in the background, redirect you to a phishing site, or exploit a buffer overflow vulnerability in your reader. Always keep your PDF reader updated and disable JavaScript execution in PDF settings.
Embedded Files and Links
Malicious PDFs may contain embedded executables or links to phishing sites. Be cautious of PDFs that ask you to click links, enable features, or open attached files. Some PDFs disguise embedded executables as harmless attachments like "invoice.xlsx" when they are actually malware.
Form Data Harvesting
PDF forms can be configured to send entered data to remote servers. Be careful about which PDFs you fill out and where they came from. A seemingly legitimate tax form or application could be silently transmitting your entered data to an attacker-controlled server.
Tracking Pixels and Phone-Home Features
Some PDFs contain invisible tracking pixels or scripts that notify the sender when you open the document. This technique is used by marketers, but also by attackers conducting reconnaissance. The PDF can report your IP address, the time you opened it, and even your geographic location.
Safe PDF Handling Practices
- Keep your PDF reader updated — Adobe Acrobat, Foxit, and browser-based readers all receive security patches that address known vulnerabilities
- Disable JavaScript in PDF settings — Most legitimate PDFs do not require JavaScript; disabling it eliminates a major attack vector
- Open suspicious PDFs in your browser — Browser PDF viewers are sandboxed and safer than desktop applications
- Never open PDFs from unknown senders — Treat unexpected PDF attachments like suspicious links
- Use our PDF Tools to process PDFs client-side without uploading them to third-party services
- Remove metadata before sharing — Re-save documents through a clean tool to strip hidden data
- Verify the source — Even if a PDF appears to come from a trusted contact, verify through a separate channel if it was unexpected
How to Disable JavaScript in Common PDF Readers
Here is how to turn off JavaScript execution in the most popular PDF readers:
- Adobe Acrobat Reader — Go to Edit > Preferences > JavaScript and uncheck "Enable Acrobat JavaScript"
- Foxit Reader — Go to File > Preferences > JavaScript and uncheck "Enable JavaScript Actions"
- Browser-based viewers — Chrome, Firefox, and Edge PDF viewers do not execute PDF JavaScript by default, making them inherently safer
Sharing Documents Safely
When sharing PDFs externally:
- Strip metadata using client-side tools like our PDF Tools
- Flatten form fields if the recipient does not need to edit them
- Password-protect sensitive documents
- Use secure file sharing methods rather than email for highly sensitive content
- Consider whether a PDF is even necessary — sometimes a simple text summary is safer
- Verify hash values of important documents to ensure they have not been tampered with during transit
Understanding these risks helps you handle documents more carefully. Most PDF threats are preventable with basic awareness and good habits. Make it a standard practice to process every PDF through a clean tool before sharing it externally, and always question unexpected PDF attachments regardless of who appears to have sent them.
Share this article
Raimundo Coelho
Cybersecurity specialist and technology professor with over 20 years of experience in IT. Graduated from Universidade Estácio de Sá. Writing practical guides to help you protect your data and stay safe in the digital world.
