To turn off JavaScript execution in PDFs: Enter about:config in the address bar click 'I'll be careful.' In the search box near the top, enter pdfjs.enableScripting. Firefox's main preferences dialog offers no control for turning this 'feature' off.
The newly released Firefox version 88 has flipped that switch, and will now blithely execute JavaScript embedded in PDFs. Firefox's built-in viewer, although it has apparently had the ability to execute embedded JS for some time, never turned that feature on, making it a safe(r) way to open PDFs. Putatively offered as a way to create self-validating forms, this scripting capability has been abused over the decades in just about every way you can imagine. All you have to do is click on the link of the PDF file. The viewer is on by default, so you don’t have to worry about enabling it.
In addition to the other weird things PDF files can contain, one of them is JavaScript. The convenience of these built-in PDF viewers like Firefox’s is that it allows users to open and view PDF files online without a plug-in. Ewhac writes: Firefox has long had a built-in PDF viewer, allowing users to view PDF files in the browser without having to install a third-party application.