I am not security pro, but I wonder if server-side installations of PDF.js are exploitable? WordPress plugins using PDF.js, can these become a new vector to attack webservers? Case, site uses PDF.js plugin to render pDFs for users. Is it possible to access server filesystem through PDF.js?
There are not exploitable (at least not the same way). Firefox PDF viewer is a modification of PDF.js, so PDF.js code would run in the browser without a web server. The exploit might poke a hole in EMBED tag security of the web browser (and not in the PDF.js code itself). WP plugin shall be safe as any web application (unless it introduces similar security hole in its code, e.g. XSS).
