logoalt Hacker News

dolmen06/16/20252 repliesview on HN

It is not sandboxed.

So one can expect zero day exists and are exploited.

That may not be a feature for you, but it is for attackers.

Replies

jasonjayr06/16/2025

Does it implement any of the dynamic features in PDF that are vectors for easy attacks like that?

PDF was originally a display-only format.

show 1 reply
shakna06/16/2025

Sumatra has more security features than most other readers?

For example, it doesn't support JavaScript. And it doesn't support GoToE.

The text features, both strings and fonts, get sent through HarfBuzz for sanitisation.

How is it not sandboxed?