Does JavaScript Pose A Security Risk?

Javascript is a silent threat!

I no longer am able to imagine the current structure of the web without JavaScript. This is about online applications in form of traditional websites, otherwise traditional web interfaces won’t be able to handle the applications and web would collapse without JS!

That does not mean I am a fan of JavaScript in terms of security even though I am a JS coder myself. Because with all that sandboxing and native security countermeasures, the way we use it today is risky. What level of risk and threat model? It depends on what type of internet user we are dealing with.

As user with limited internet browsing scope, whether home user or a corporate user with restrict and secure corporate policies, risk is very low. Assuming user has a limited number of trusted sources to browse so exposure is only to the known codes and applications.

Javascript threat is completely out of scope of general endpoint protection solution

As a user with wide range of random and unknown sites and applications, home or corporate, the possibility of facing a malicious Javascript is so high. This is either directly from malicious codes like browser extensions and add-ons or indirectly from malicious Ads and other type of metadata. Let’s list some of the common scenarios:

    null
  • Malicious Javascript in a browser extension records everything you do online
  • Malicious Javascript in a hijacked Ad redirects to any malicious destination
  • Malicious Javascript within a page mimics joining by Google, facebook, or Microsoft account and steals credentials
  • Malicious Javascript renders the content and mislead the visitor

The possibilities are endless when it comes to creative malicious content. But again, how can you even thinking about Not using most reputable Net applications by disabling Javascript?

The beauty of JS from a hacker POV is that, it does not matter what type of protection you have: a basic anti-virus or the most sophisticated EDR; none our capable of handling many types of malicious Javascript code. That means the threats are totally out of scope of general endpoint protection and all those solutions which majority of technology currently relying on.

Kaveh Mofidi

By Kaveh Mofidi

I find simple solutions for complex problems. While I enjoy working with information security and computers, our challenges extend far beyond securing data. The real task is to discover solutions for unlimited clean energy, drinkable water, and addressing the root causes of hunger, war, and injustice. Our primary goal should be to keep our planet livable; that is the true challenge we face on Earth!