How dangerous can JavaScript be?

9

3

I have recently started using NoScript (in addition to ABP). It took a little while to get used to it and can occasionally require some clicking when visiting a new site to investigate why the site's not working and where I need to allow JavaScript from. Is the extra security worth it?

Some of the controversy is discussed here. I suppose it boils down to a matter of whether JavaScript is a genuine threat to your computer or not. Any thoughts on this?

Gordon Gustafson

Posted 2010-03-23T01:10:32.047

Reputation: 1 767

2

Try http://tinyurl.com/y8qdwsv if you feel browsing without NoScript is a decent idea.

– Josh K – 2010-03-23T01:28:01.287

1

Try http://tinyurl.com/ydwxk63 if you want to laugh really hard.

– Hasaan Chop – 2010-03-23T01:31:10.380

@JoshK owwww, CPU and mem goes way up! – Maxim Zaslavsky – 2010-03-23T01:33:07.337

1And quite a few things probably crash. It's 2.4MB of iframe's – Josh K – 2010-03-23T01:39:11.200

@Josh K: I'm pretty disappointed that FireFox allowed that. Opera exhibits different behavior (not nearly as annoying) but that still slugs away. Chrome doesn't throw too much of a fuss at all; it seems to limit how often it can popup. (Yes, I was stupid enough to try it 3 times) – mpen – 2010-03-23T01:45:26.247

@Mark: Actually the most annoying part was that I forgot that I have that set as a "trusted" domain and it backfired when I was testing the link. Heh. – Josh K – 2010-03-23T01:47:02.500

Answers

3

The reason NoScript even exists in the first place is not necessarily JavaScript per se, but security holes in the browser. In the past Firefox and other browsers have had many security vulnerabilities that have allowed malicious JavaScript to do bad things to a user's system. (In many cases native code could be executed through JavaScript, meaning a website could potentially do anything to your computer.) There is also a possibility of cross-site scripting attacks, like @Eric said.

However, these threats are very few and far between unless you regularly browse shady websites, so whether or not NoScript is worth the hassle is up to you. Personally, I don't find it to be worth it, especially considering that more and more websites require JavaScript to function at all, which means you will constantly be whitelisting scripts or entire domains (and at that point, you're defeating some of the benefit of using it in the first place).

Sasha Chedygov

Posted 2010-03-23T01:10:32.047

Reputation: 6 616

4

See http://en.wikipedia.org/wiki/Cross-site_scripting and http://en.wikipedia.org/wiki/Cross-site_request_forgery for examples of how someone with malicious intent can cause problems using JavaScript.

FWIW - I personally don't roll with NoScript as I think it's a major headache. Sometimes you just have to watch where you're browsing and hope for the best.

Eric

Posted 2010-03-23T01:10:32.047

Reputation: 153

2I dunno, I think both of those are bigger concerns for the web developer than for the user. I suppose a poorly designed site is susceptible to those kinds of flaws which then in turn could compromise the user's data.. but really, what kind of stuff are they going to steal? You username on some crummy forum? Whoopy doo. Only place it matters is when you've got credit card info and stuff, but you should never be entering that sort of info on a site you don't trust in the first place. – mpen – 2010-03-23T01:30:39.757

2@Mark, Do you understand what CSRF is? Say you have your browser open to your bank and another tab open to an evil site. With a CSRF the evil site can trick your browser into making a request to your bank to transfer all your money out of your account. – Zoredache – 2010-03-23T02:58:42.267

1You can protect yourself from CSRF by logging out of sensitive sites before going elsewhere. Though I'd like to think banks would be designed without this glaring hole, I know they haven't been in the past. – Zurahn – 2010-03-23T04:14:46.197

1

  • Poorly written or malicious JavaScript can crash your browser, or cause it to freeze up

  • JavaScript may be used to cause drive-by downloads

  • But, used properly and as intended, JavaScript does enhance the web browsing experience

There are pros and cons, but on the whole it is worth the trouble. For the record, I always use the NoScript extension, selectively enabling scripts for the sites I regularly visit and I expect are safe.

Grant Palin

Posted 2010-03-23T01:10:32.047

Reputation: 1 102

0

While there have technically been exploits in image processing and XML rendering and the like, for all intents and purposes there are presently three vectors of attack: social engineering (tricking the user, getting the user to run a malicious file), plugins (Flash), and JavaScript.

JavaScript directly allows instructions to be run, and it's particularly bad in the case of Internet Explorer due to the incredibly poor decision and implementation of ActiveX controls in the past (though Microsoft has improved in this regard). You also don't have to necessarily go to shady sites, as ads are served in JavaScript and there are multiple cases of where malicious ads have been served to legitimate sites.

Short answer: If you're going to worry about threats, there are three things to be concerned about: Internet Explorer, Flash, and JavaScript.

Zurahn

Posted 2010-03-23T01:10:32.047

Reputation: 782

"JavaScript directly allows instructions to be run" -- source? This is true in older version of IE due to ActiveX, but nowdays that only happens when security exploits are found, and those are usually patched pretty quickly. JavaScript itself actually can't do very much to your system--at most, it could slow down or maybe crash your browser. – Sasha Chedygov – 2010-11-08T23:13:35.283

2JavaScript is a programming language, you write instructions. I'm not referring to machine code level instructions, I'm referring to the language itself -- that running JavaScript is running code; no more no less. Contrastable to HTML and CSS (aside from eval in IE) which are purely descriptive. Because of that, the likelihood of vulnerabilities through JavaScript is astronomically higher -- JavaScript is only benign if there are no mistakes either in implementation or specifications, which will never happen. – Zurahn – 2010-11-09T01:29:02.793

0

Very few computers if any computers connected to the internet are exploit proof. One did not even need MeltDown nor Spectre to get malicious advertising on your machine, it came from trusted websites like it always has.

Here’s why the epidemic of malicious ads grew so much worse last year Forced redirects from Zirconium group push phony malware and fake Flash updates. DAN GOODIN - 1/23/2018, 5:00 AM

In the 1990's, Netscape Navigator had digitally signed javaScript, we need an improved version of that now.

rjt

Posted 2010-03-23T01:10:32.047

Reputation: 878

0

JavaScript doesn't have to necessarily trash your computer to harm you. Here are some straightforward examples of JavaScript sniffers which can be used to steal your banking information and send it to a remote attacker:

https://www.smartspate.com/four-javascript-sniffer-that-will-show-how-careful-you-should-be-with-online-purchasing/

pevogam

Posted 2010-03-23T01:10:32.047

Reputation: 101

Asked: 2010-03-23T01:10:32.047

Viewed: 11 416 times

Active: 2019-07-21T15:58:09.333