Why you should disable Javascript when you're not using it

@starwars - Mar 2 2021

Views: 1133   Stars: 0

article image

There has been discussions about the advantages and disadvantages of enabling Javascript in browsers permanently. In this article, we hope to tell you the pitfalls and the risks of doing so.

What is Javascript Javascript is a kind of interpreted language that runs inside your browser's sandbox. It is a high-level programming language utilizing just-in-time compiled, and multi-paradigm. JavaScript is the most important component to make web pages interactive. More recent clientside frameworks, such as React, Angular, all require Javascript to render the user interface. Hence, Javascript is becoming an indisposable element of the Internet, but is it?

Opsec Concerns
As mentioned earlier, javascript runs inside your browser's sandbox. Normally, the runtime components are all isolated inside your browser (hence the sandbox). However, with specially crafted payload, malicious actors can utilize so-called RCE(Remote Code Execution) exploits to execute code "outside" of the sandbox.

So once the malicious actor gains access to your machine, he can run a ton of stuff, normally with the assist of privilege escalation exploits (gives actor root/admin privileges). Imagine how much damage can be done with this.

Complete RCE exploits seldom appear, and most are patched rather quickly, since it's a quite serious vulnerability. Though, I'd bet that law enforcement agencies like NSA should've bought quite a few under the table. So we should always better be safe than sorry.

Javascript scipts have access all APIs that the browser opens for the scripts, so basically, it has the ability to capture a certain amount of user information. And not to mention, some stupid actions like intentionally crashing your browser with stupid stuff such as infinite loops. Some exploits even allow malicious actors to steal cookies not accessible to the current domain (imagine if your web banking session cookie is stolen).

Anyway, it's always good practice to disable Javascript unless completely necessary. We're living under massive surveillance networks, as well make the agents more tired to do so.


Your comment

Name to display

Give stars to author (0~5 stars)

captcha image

Please input captcha text (case insensitive)