2

I remember the times when Javascript usage was so innocent; a small pop-up here, a dialog message there.

Nowadays Javascript "steals" data by exploiting vulnerabilities on "mature" browsers such as Firefox (prior to 39.0.3.), and making the world under alert.

The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

Source

Or just by visiting a website you get a malware as a gift:

You can get a virus just by visiting a site in Chrome or any other browser, with no user-interaction needed. Even with Chrome you are not 100% secure - and you probably never will be with any browser, but Chrome is getting pretty close to it and the security research community seems to agree that at this time, it is the most secure browser you can use.

Source

  • Based on that, I wonder if JavaScript is too dangerous to be used on browsers or if browsers themselves are too insecure?
  • Would it be possible to limit what JavaScript can do from a browser configuration perspective (e.g. Automatically start a download or references to scripts on other domains [High threat])?

1 Answers1

1

JavaScript itself is not dangerous, the complexity of modern browsers and consequentially the bugs introduce are. But of course JavaScript is one common way to exploit these bugs.

Limiting the usage and/or execution of scripts increases the security, there are different ways to do that. Browser configuration allows you to completely deactivate scripts or allow only certain permissions (e.g. download fonts). This might or might not be away to increase security depending how the check works. It would not be a good measurement if the script is executed and checked in between, it should be analyzed before execution. This is why extensions/plug-ins like NoScript exist that let you decide what scripts from what source should be allowed. This happens before loading the script and has very detailed and easy configuration. In general all browsers try to protect against basic security problems like XSS (Cross Site Scripting) or drive-by downloads. But that is often not enough and additional measurements are necessary.

NoScript specifically lets you decide what tags in html are allowed, filters them. You are able to white- and black-list websites, recognizes XSS, can enforce ABE and many more things.

There might be other ways to effectively minimize script execution, but this is the I personally think is the best trade-off between completely disabling scripts (which would break almost every modern website) or allowing everything.

There may be other extensions besides NoScript with similar functions, but I haven't used them and can't give other recommendations.

John
  • 1,007
  • 6
  • 14