re: So?
"If the app is able to execute code, thats all well and good, but as long as the app can't make Admin level calls, where is the issue? ... because its on a Linux box, its unlikely they will have the ability to exploit the box, unless they have secondary exploit to give themselves greater access."
If an app is exploited, even if it only provides restricted user-level access, it *IS* a big deal. There are lots of bad things that can be done without rooting a box. Searching for and attacking Windows shares, searching for and sending junk/black pages to networked printers, DOSing an internal or external host/website, flooding the Internet connection with junk to slow the company's Internet connection, visiting illegal websites (including child porn) which will be tied back to the machine and the user who ran the exploit, etc. Rooting a box is not the only way to cause damage, especially if you can select your targets.
On a side note, why does a DOCUMENT READER need Javascript in the first place?