"From a security perspective, this enlarges the trusted code base, and because of that, Google's Chrome browser goes through quite some pain to sandbox the PDF renderer to avoid code injection attacks. An HTML5-based implementation is completely immune to this class of problems," he said.

Adobe Reader, the free PDF viewer whose plug-in is most notably used by Microsoft's Internet Explorer (IE), has been updated five times so far this year to fix flaws discovered by, and in many cases exploited by, cyber criminals. Three of those updates were "out-of-band," or emergency releases to address critical vulnerabilities hackers were actively exploiting.

By shunning the Reader plug-in, a browser sidesteps the vulnerabilities that come with the Adobe software.

Mozilla will initially provide the in-browser PDF viewer via a Firefox extension, but Gal said the ultimate goal was to ship the viewer inside the browser. "This will result in a substantial usability but also security improvement for our users," he argued.

Mozilla has dubbed the open-source project "pdf.js," and has published on its site, as well as on Github.