We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 25.x.x | β |
| 20.x.x | β |
| < 20.x | β |
We take security vulnerabilities seriously. If you discover a security vulnerability in ng2-pdfjs-viewer, please follow these guidelines:
Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please report security vulnerabilities privately by:
- Email: Send details to [email protected]
- GitHub Security Advisories: Use the "Report a vulnerability" button on the Security tab
- Responsible Disclosure: Follow responsible disclosure practices
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact Assessment: Potential impact and affected components
- Environment: Browser, Angular version, ng2-pdfjs-viewer version
- Proof of Concept: If applicable, include a minimal reproduction case
- Suggested Fix: If you have ideas for a fix, please share them
We recognize security researchers who help improve ng2-pdfjs-viewer security:
- [Your Name] - CVE-XXXX-XXXX - Description of contribution
- [Another Researcher] - CVE-XXXX-XXXX - Description of contribution
ng2-pdfjs-viewer is designed to work with strict Content Security Policies:
<meta http-equiv="Content-Security-Policy"
content="default-src 'self';
style-src 'self';
script-src 'self';">Note: v25.0.11+ includes fixes for CSP compliance issues with inline styles.
The component uses iframe sandboxing for security:
<iframe sandbox="allow-forms allow-scripts allow-same-origin allow-modals">ng2-pdfjs-viewer is built on PDF.js, which includes:
- XSS Protection: Built-in protection against malicious PDF content
- Sandboxing: Isolated execution environment
- Regular Updates: Following PDF.js security updates
- Keep Dependencies Updated: Regularly update Angular and PDF.js dependencies
- Use HTTPS: Always serve PDFs over HTTPS in production
- Validate Input: Validate PDF sources and user inputs
- CSP Headers: Implement proper Content Security Policy headers
- Error Handling: Don't expose sensitive information in error messages
- Update Regularly: Keep ng2-pdfjs-viewer updated to the latest version
- Secure Sources: Only load PDFs from trusted sources
- HTTPS: Use HTTPS when serving PDFs
- Review Permissions: Be cautious with PDFs that request special permissions
- CSP Inline Style Violations (v25.0.11): Fixed inline style CSP violations in component template
- XSS Prevention: iframe sandboxing prevents PDF-based XSS attacks
- URL Validation: Built-in URL validation prevents unauthorized file access
- PDF.js Vulnerabilities: Inherits any security issues from PDF.js core
- Browser Security: Relies on browser security for iframe isolation
- Network Security: PDF loading depends on network security
Security updates are typically released as:
- Patch Releases: For critical security fixes (e.g., 25.0.12)
- Minor Releases: For important security improvements (e.g., 25.1.0)
- Major Releases: For significant security architecture changes (e.g., 26.0.0)
- Security Issues: [email protected]
- General Support: GitHub Issues
- Documentation: Documentation Site
We thank the security community for their contributions to making ng2-pdfjs-viewer more secure. Special thanks to:
- The PDF.js team at Mozilla for their security-focused approach
- Angular team for security best practices
- All security researchers who have reported vulnerabilities
Last Updated: October 2025
Version: 25.x