We are using the pdf.js (1.3.91) and pdf.worker.js. Our security ask me now, if I use the sha-1 algorithm in my or my third party code. But I cannot answer it. So my question here is:
Did PDF and so mozillas pdf.js ever used the SHA-1 algorithm (e.g. password hashing)?
If yes, did pdf.js removed it?
If yes, at what version?
More context must be provided. I guess OP's security concern about weakness of SHA-1 as described at https://shattered.io/static/shattered.pdf
Did PDF and so mozillas pdf.js ever used the SHA-1 algorithm (e.g. password hashing)?
Goal of any PDF viewer was to display a PDF no matter how broken and unsafe it is (and the Reader did set very "high" bar here⸮) So it's very unlikely any reader will remove SHA-1 algorithm for consumer by default.
If yes, did pdf.js removed it?
There is no evidence of implementing SHA-1 in PDF.js by looking at https://github.com/mozilla/pdf.js/blob/a8c87f8019aed3e9fcc5a7c2733ea3b8aa33e59a/src/core/crypto.js . Per PDF32000, SHA-1 is used only for signature check and https://github.com/mozilla/pdf.js/issues/1076 looks still opened.
So, no, pure SHA-1 did not make into PDF.js yet.