Javascript is a silent threat!
I no longer am able to imagine the current structure of the web without JavaScript. This is about online applications in form of traditional websites, otherwise traditional web interfaces won’t be able to handle the applications and web would collapse without JS!
That does not mean I am a fan of JavaScript in terms of security even though I am a JS coder myself. Because with all that sandboxing and native security countermeasures, the way we use it today is risky. What level of risk and threat model? It depends on what type of internet user we are dealing with.
As user with limited internet browsing scope, whether home user or a corporate user with restrict and secure corporate policies, risk is very low. Assuming user has a limited number of trusted sources to browse so exposure is only to the known codes and applications.
Javascript threat is completely out of scope of general endpoint protection solution
As a user with wide range of random and unknown sites and applications, home or corporate, the possibility of facing a malicious Javascript is so high. This is either directly from malicious codes like browser extensions and add-ons or indirectly from malicious Ads and other type of metadata. Let’s list some of the common scenarios:
- null
- Malicious Javascript in a browser extension records everything you do online
- Malicious Javascript in a hijacked Ad redirects to any malicious destination
- Malicious Javascript within a page mimics joining by Google, facebook, or Microsoft account and steals credentials
- Malicious Javascript renders the content and mislead the visitor
The possibilities are endless when it comes to creative malicious content. But again, how can you even thinking about Not using most reputable Net applications by disabling Javascript?
The beauty of JS from a hacker POV is that, it does not matter what type of protection you have: a basic anti-virus or the most sophisticated EDR; none our capable of handling many types of malicious Javascript code. That means the threats are totally out of scope of general endpoint protection and all those solutions which majority of technology currently relying on.