The Adobe Reader and Acrobat JavaScript Blacklist Framework introduced in versions 9.2 and 8.1.7 provides granular control over the execution of specific JavaScript APIs. This mechanism allows selective blocking of vulnerable APIs so that you do not have to resort to disabling JavaScript altogether.
The blacklist is maintained in the Windows registry and the Macintosh OS X FeatureLockdown file.On Windows, there are two blacklists, one for enterprise administrators,and one for Adobe patches and updates.
Blacklist locations
Macintosh: Policy deployment is specific to Windows, so Macintosh, has only one update/path blacklist at Contents::MacOS::Preferences > FeatureLockDown/cJavaScriptPerm/tBlackList.
JavaScript Blacklist can be in two locations on Windows:
- Windows: Enterprise list: This blacklist helps enterprises roll out policies that block exploitable APIs from executing in their environment. Populating the blacklist in this location is the responsibility of the enterprise. Adobe patches never modify this registrylocation. HKLM\SOFTWARE\Policies\Adobe\<product>\<version>
\FeatureLockDown\cJavaScriptPerms\tBlackList - Windows: Adobe's update/patch list: The Adobe blacklist is modified by Acrobat and Adobe Reader patches whenever an API is deemed vulnerable. APIs are also removed from the blacklist whenever a fix for a vulnerability is provided by the current patch. HKLM\SOFTWARE\Adobe\<product>\<version>\JavaScriptPerms\tBlackList
- On a 64 bit Windows system, the path is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe
Blacklist rules of operation
- Blacklist settings do not apply to 3D JavaScript.
- If JavaScript is enabled and a blacklisted JavaScript is encountered, the Document Message Bar warns the user about the script and no script is executed even if they are not blacklisted. A NotAllowedError exception is thrown on the JavaScript console.
Blacklisted JavaScript warning
- The two blacklists interact so that the most restrictive setting takes precedence; that is, if one blacklist blocks an API and the other does not, the API is blocked.
- To prevent breaking of existing customer workflows, blacklists can be overridden by:
- Trusted locations identified by ID in the cUnsafeJavaScript key. Files, folders, and hosts which should be trusted for running blacklisted Javascript are identified by an ID. This ID is stored in HKCU\Software\Adobe\(product name)\(version)\TrustManager\cTrustedFolders|cTrustedSites\cUnsafeJavaScript. This trust is granted automatically whenever a user configures a privileged location through the user interface.
- Certified documents signed with certificates that chain up to a trust anchor trusted for executing high privileged Javascript.
Blacklist configuration
The manual steps described below require administrator privileges on a machine and should only be undertaken by someone experienced in registry-level configuration. In most cases, configuration occurs via the Customization Wizard prior to client deployment or via a scripting mechanism post-deployment.
To manually configure a blacklist:
Open the registry editor.
- Go to HKLM\SOFTWARE\Policies\Adobe\<product>\<version>\FeatureLockDown\cJavaScriptPerms\
- Create cJavaScriptPerms if it does not exist by right clicking and choosing New Key
- Create tBlacklist : right click in the right hand panel and choose New > String value
- Enter tBlacklist
- Right click on tBlacklist and choose Modify
Registry configuration of cJavaScriptPerms
- Add the APIs to block as a pipe-separated list in for the format of
- <some Object Name>.<Some Api Name>
- For example: Util.CharToByte|App.alert|Collab.getIcon
- Exit and restart the application
Source:Adobe
