UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

Steps to reproduce the problem:
1. Open the attached file in Chrome
2. In this file there is the following object as test: 
19 0 obj
<</Type/Catalog/Pages 6 0 R
/OpenAction 25 0 R
/ViewerPreferences<</DisplayDocTitle true
>>
/Lang(nl-NL)
>>
endobj

25 0 obj
<</Type/Action/S/JavaScript/JS (app.alert('Javascript!');) >>
endob
3. 

What is the expected behavior?
Either a question: "Are you sure that you want to do stuff that can harm you and your computer?" or nothing

What went wrong?
JavaScript is executed directly at opening of a PDF with JavaScript. This is a security risk for the users because they do not expect JavaScript in documents that they might or might not trust. A document with JavaScript can actually do real damage and trigger vulnerabilities in the PDF parser. 
In a PDF JavaScript should never be executed without user interaction.

Did this work before? No 

Chrome version: 62.0.3202.62 (Officiële build) (64-bits)  Channel: stable
OS Version: 10.0
Flash Version: 

I can understand if you say: "Hey man this is not a problem as we allow JS to be executed on webpages as well, so we do not think a document is any different." But please do send an e-mail to me saying that so that I know this (on tmeulemans@securesult.nl). I looked a bit the fool at a demo after a pentest saying: "you need to still approve to execute JS. Oh shit apparently not in chrome...."
 

Deleted: Chrome_PDF_JS.PNG 4.7 KB

	Chrome_PDF_JS.PNG 4.7 KB View Download

Deleted: PDF_JavaScript2.pdf 132 KB

PDF_JavaScript2.pdf 132 KB Download