Opening PDF files in the browser vulnerability

Question

We have a Java based web application deployed on WebLogic. We provide direct links to some PDF files, which the users can download/ open in their browser. Our security team is claiming that to allow opening PDF files in the browser is a security risk. So they want to force the users to download the PDF files first rather than opening them in the browser window.

1. Is this really a security risk?

2. If the PFD is a trogen/ vulnerable, how come downloading the file first and opening it could solve the problem?

3. Is their a way to programmatically prevent the user from opening the PDF files in the browser window and to force downloading the PDF files first?

Answer 1

To force the browser to give download option to the PDF :

response.setHeader ("Content-Disposition", "attachment;filename=\"" + filename + "\"");

Answer 2

Forcing the user to save a PDF file first and then open it is actually likely to be more risky than allowing it to be opened in the browser.

It's not better:

• Any vulnerabilities in your PDF reader (probably Adobe Reader) will be triggered whether it is opened now or later.
• Any decent virus scanner will be able to scan a PDF before it is opened, no matter if the pdf was downloaded to a temporary internet files folder, or some other user selected folder (e.g. downloads). (But if these are your PDF files, viruses probably aren't much of a concern.)

But it might be worse:

• If the client is Firefox, then allowing the pdf to be opened directly will lead to PDF.js being used, which is likely to be more secure than Adobe Reader. In bypassing this client, you're exposing your users to greater risk.
• You are conditioning users to download and open files from the internet. A minor point, but the more you can avoid this the better.