Do PDFs have the ability to phone home

adobe-readerpdf

That is, can they send any personally identifiable information to an external host (for example, the PDF author's server)? If so, is there a way to disable this in common PDF viewers (Adobe Reader, Mac OS X Preview) without resorting to using a firewall rule?

Best Answer

They are certainly not supposed to be able to except perhaps to report result from a form submission, but there's a Javascript engine in recent Adobe PDF implementations that has been the source of security problems with Acrobat Reader and related software.

Adobe's docs on the Javascript API for Acrobat products may give you some ideas about hat it's supposed to do and are easily found (sorry for not linking, low rep here).

Here is one of the many posts to SANS ISC about Acrobat Reader vulnerabilites related to the Javascript feature. Please be aware that even when disabled as recommended the Javascript feature is often re-enabled by Adobe software updates. There's a lot more discussion on the various security sites about this if you'd care to look into it.