Not surprised by the new security vulnerability in Mozilla's PDF.js - patched in latest Firefox. But remind me again why browsers try to render PDFs to begin with?
Displaying PDFs in browsers opens a huge new attack surface. PDFs are complex. Browsers render PDF forms poorly and offer only a limited subset of the many accessibility features provided by dedicated PDF software.
