Does Document Viewer plugin present security risk?

PavelP
Mega Sage

Hi, 

we recently activated the Document Viewer plugin, to view documents directly in platform - see link to docu.

https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/using-forms/concept/Docume...

I have a mildly general question - could activation of this plugin present a security risk? I.e. could opening document in the viewer trigger a malicious code from the attachment? Is it a concern regarding which tables and data types should be allowed?

Thanks in advance for reply.

Best regards

Pavel

1 ACCEPTED SOLUTION

The reply from SNOW in HI ticket: https://support.servicenow.com/now?id=form&sys_id=3daf2986db308110f77799ead396197f&table=sn_customerservice_case 

 

1.Could activation of this plugin present a security risk? I.e. could opening a document in the viewer trigger a malicious code from the attachment?

- No. The plugin has already gone through the security review and there are no security risks with Document Viewer plugin. Just to let you know - when the user uses this plugin, only pdf documents are viewed. Other type of documents are not effected at all. Opening a document in viewer just renders the pdf document. It does not trigger any malicious code. Document viewer is a plugin shipped from us since almost 6 previous releases with no security issues reported. It is verified by security team. We also ensured that nothing malicious can take place while using this plugin. This is a safe and secure plugin that can be used with out any issue.


2. Is it a concern regarding which tables and data types should be allowed?

- We don't have restriction on tables, file/data type is listed here
https://docs.servicenow.com/bundle/rome-servicenow-platform/page/use/using-forms/concept/Documentviewer.html

View solution in original post

3 REPLIES 3

Allen Andreas
Administrator
Administrator

Hi,

You may need to submit a Support/HI ticket for this and discuss this internally with ServiceNow, but in my past experiences, especially with Fedramp instances, Document Viewer was identified as "not working", most likely due to the possibility of exposure. I don't know the specifics, but due to it being disabled for Fedramp and encryption, would lead me to believe that it's more of a security vulnerability than perfectly fine. I'm NOT saying it's a security issue, but, due to SN not allowing it in specific situations, "could" mean that there is or they're playing it safe by not allowing it.

Again, you'd want to submit a ticket and then SN can link you up with their security team and discuss this more, but there isn't going to be true exposures and vulnerabilities posted on the forums, even if there was.

However, SN does have certain limitations in place such as:

Feature Limitations

  • In order to avoid performance issues with large files, the supported file size is restricted to 5MB, except for images.
  • Images do not have any file size restrictions
  • Federal instances and encrypted files are not supported.
  • Excel files with formulas are not supported.

Please mark reply as Helpful/Correct, if applicable. Thanks!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Hi @PavelP 

Thanks for marking my reply as Helpful.

If it also helps guide you Correctly, please also mark as Correct.

Thanks and take care! 🙂


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

The reply from SNOW in HI ticket: https://support.servicenow.com/now?id=form&sys_id=3daf2986db308110f77799ead396197f&table=sn_customerservice_case 

 

1.Could activation of this plugin present a security risk? I.e. could opening a document in the viewer trigger a malicious code from the attachment?

- No. The plugin has already gone through the security review and there are no security risks with Document Viewer plugin. Just to let you know - when the user uses this plugin, only pdf documents are viewed. Other type of documents are not effected at all. Opening a document in viewer just renders the pdf document. It does not trigger any malicious code. Document viewer is a plugin shipped from us since almost 6 previous releases with no security issues reported. It is verified by security team. We also ensured that nothing malicious can take place while using this plugin. This is a safe and secure plugin that can be used with out any issue.


2. Is it a concern regarding which tables and data types should be allowed?

- We don't have restriction on tables, file/data type is listed here
https://docs.servicenow.com/bundle/rome-servicenow-platform/page/use/using-forms/concept/Documentviewer.html