This is what happens when I read too fast. I almost completely dismissed a recent writeup by Stefano Di Paola and Giorgio Fedon (thanks to pdp for doing a more thorough writeup). But it’s true, and PDF is vulnerable to XSS injection regardless if you have control over the PDF itself. Which means any website that has a PDF on it is now vulnerable to XSS injection.
Yup, like I said, simple. This is a really nasty issue, as any automatic redirection or getting anyone to click on a link can now compromise that website if they have Adobe’s PDF reader installed (which practically everyone does). This is one of the worst issues I’ve seen in a while, as almost every major website has PDFs on it (investor relations, white papers, sales sheets, etc…). You might want to remove your PDFs for the time being, protect them or at minimum host them on a domain you don’t care about.