That's why I never use PDF viewers that are integrated into the browser, in the past there have been numerous of vulnerabilities in both Chrome and Firefox.
Right. It could be used as a spy tool to prepare a targeted attack against a high-value target, but that is about it.
When malware "recon" activity like this is detected, it is usually a prelude to an imminent malware attack using the vulnerability. Hence the pen-testers public release so people can be warned and take appropriate precautions.