Why you can't just disable JavaScript
Web Browser Security
As ugly and hard to secure as JavaScript is, it could be worse – we could be using ActiveX.
JavaScript – can't live with it, can't live without it. The modern web is amazing; I can pay my bills, buy a laptop, and order hot pizza all from my web browser. To do all these activities, I must have a web browser with JavaScript enabled. If I disable it, I can't read my email, pay my bills, buy anything, or view approximately half the websites on the planet. But if I enable JavaScript, the bad guys can:
- track who I am with tracking code, such as Google Analytics;
- exploit security vulnerabilities in Firefox (120+ and still going);
- redirect me to hostile websites; and
- hijack actions, such as keyboard and mouse clicks.
Did I just say 120+ security vulnerabilities in Firefox that are exploitable via JavaScript? Yup. And that's not counting the ones that haven't been officially categorized or fixed yet. A perfect example of one of these is CVE-2009-0253; using the onmouseover action to position a 2 by 2 pixel box over a clickable link, an attacker can redirect you to an arbitrary website [1]. Any mouse click event (i.e., clicking on what looks like a legitimate link, image, etc.) over a link results in an onmouseover event that redirects you to, well, wherever the attacker wants:
[...]
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia