[tbb-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Feb 27 21:06:47 UTC 2016

#18390: PDF.js triggers canvas fingerprinting warning for some PDFs
 Reporter:  xcolour      |          Owner:  tbb-team
     Type:  defect       |         Status:  closed
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Normal       |     Resolution:  not a bug
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |

Comment (by cypherpunks):

 Replying to [comment:3 cypherpunks]:
 > How about substituting site-hosted pdf.js with builtin one in an iframe?
 This is interesting. Maybe NoScript surrogates would be enough?

 Interesting I said, but I actually do not like idea. You would be running
 privileged code in an unprivileged context. Need a refresher on privilege
 escalation exploits? How about these 2:

 That's a High and a Critical vuln, according to Mozilla's classification,
 in pdf.js in the last what 6-7 months? The second one was found in the

 I think in Tor Browser we should prefer security over convenience. And
 what kind of inconvenience are we talking about here? This is not Tor
 Browser outright blocking all canvas code. Is presenting a prompt, in some
 accesses, and you could dismiss it as well.

 In this case, if you decide to disallow it (the finer choice), what's the
 impact? yurydelendik tells us in
 https://github.com/mozilla/pdf.js/issues/7026#issuecomment-188802006: "it
 will affect the display quality for some old windows machines". Who the
 hell cares? :)

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18390#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list