The PDF.js library has an option isEvalSupported, which is described as follows:
(optional) Determines if we can eval strings as JS. Primarily used to improve performance of font rendering, and when parsing PDF functions. The default value is
true.
Does this have security implications for untrusted PDFs?
Potentially, there is a tiny possibility, but PDF only evals code it generates itself (not random JS script) -- so theoretically it's not really a concern. The PDF.js was reviewed multiple times for these usages. Keep in mind, it's a web application, and worse it can do is XSS attack.
If you serve untrusted PDFs in a PDF viewer and you are hosting at your location, it is better be located at different origin than your main app, www.example.org vs pdfviewer.example.org.