Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is Javascript dangerous?

Question:

I’ve been using NoScript recently. It’s a add on for Firefox that only
allows JavaScript to run on sites after I’ve specifically agreed to allow that
to happen. I’ve started doing this because I’ve read that running untrusted
JavaScript from every site you visit online increases your security risk
online. Do you think I’m overdoing it? What are your thoughts on the topic of
allowing any site I visit to run JavaScript on my machine.

Well, I actually believe that JavaScript is relatively safe. Not perfectly
safe – nothing is – but safe enough.

Having said that, I should tell you that I also run NoScript.

Let’s look at what that all means.

Become a Patron of Ask Leo! and go ad-free!

JavaScript is a programming language. What makes it special is that most all
web browsers support Javascript programs (or program fragments) embedded in web
pages.

If you read that carefully you’ll realize that this means a web page – any
web page – can now include a computer program. Rather than just displaying text
and pictures, web pages can now “do” things. A popular
example is GMail’s web interface, which makes heavy use of JavaScript to
present a very complete and functional email program – all in a web page.

Now, JavaScript operates in a “sandbox” – meaning it can only operate within
that sandbox, and not outside of it. JavaScript is an interpreted language,
which among many other things means that each operation a JavaScript program
attempts to perform can be restricted by the JavaScript interpreter. In theory,
and in practice most of the time, this prevents a JavaScript program from doing
anything harmfully to your computer.

In other words, JavaScript is safe.

However, as we all know, all software has bugs. This holds true for the
various implementations of JavaScript, as well as the browsers that JavaScript
runs in. Some of those bugs can, when discovered, be exploited to bypass the
sandbox, or to perform other malicious actions on your machine.

The good news is that it’s very rare. And once again, as long as you keep
your computer up-to-date with the latest patches and versions of the operating
system, browser and JavaScript interpreter, you’re likely quite safe. That’s
actually how I run most of my other machines.

“…as long as you keep your computer up-to-date with
the latest patches and versions of the operating system, browser and JavaScript
interpreter, you’re likely quite safe”

However, after learning about NoScript, I decided to give it a try. Exactly
as you say, it enables JavaScript on a site-by-site basis, depending on what
you tell it. If you visit a site that you haven’t OK’ed, NoScript tells you,
and the JavaScript programs that might be on that page do not run. The result
is that some web sites simply don’t work, while others might only work
partially. The point is that you now have the choice of whether or not to
enable JavaScript for each site you visit.

An interesting side effect is that much advertising relies on JavaScript,
and if you turn JavaScript off a lot of advertising just disappears. In fact,
if you visit Ask Leo! with JavaScript disabled, you’ll not see much of the
advertising that supports this site. On other sites you may enable JavaScript
for the site in question, only to be told that other domains that site
references are still blocked – often because those other domains are used to
present some of the ads or content on the original page.

And of course, blocking JavaScript from sites you haven’t explicitly trusted
does protect you from any attempts at malicious behavior, whether or not they
could actually succeed.

My bottom line is this: running with JavaScript enabled is not that scary a
thing and many, many sites now require it for full functionality. If you’re at
all concerned, or just want to turn off some of the content that it implies,
NoScript is a fine approach for FireFox users to take control.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

8 comments on “Is Javascript dangerous?”

  1. I have heard a great deal about java script and for the most part not too many good things. However I can see the advantage of having java script, it makes the site pages come alive. Safety is a concern of mine as well, therefore I am asking you about No Script. What exactly is NoScript? A program in and of itself? Or a helper dll that can be activated and deactivated at will? Where does one find NoScript at?

    Reply
  2. Actually, that explanation isn’t totally correct. Javascript can be quite dangerous because it allows control of all settings inside the browser. A simple example is seen on many web sites that disable your back button as soon as you arrive at the site — trapping you on their site. You have to actually close your browser to get out. Very annoying. But more dangerous is the fact that they can change ANY setting in your browser — not just the back button. So javascript apps can actually turn off your security settings in your browser, and then let all types of malicious software in from that (or other) web sites. I recommend keeping javascript off for safety, except for sites that you trust and really require it to run. Ditto for activeX and most of all, Flash.

    Reply
  3. Javascript can’t turn off the security settings in your browser…that’s a bit misleading. It can however control the way the browser acts while you are on the site. If it acts weird on your computer, just close the browser or if necessary use taskmanager through ctrl+alt+delete keys and don’t return to that site. Web browsers don’t allow Javascript to write to your local harddrive directly…making it safer than other languages.

    Reply
  4. A great strait-to-the-point and accurate article!

    The problem is, as the intaknetz evolves, users demand more functionality, which means handing more power over to the developers. But this also means people with a malicious intent have more tools at their disposal.

    But as well as this, rumors get started and spread quickly about “how dangerous JS really is”. I do not deny it can be used to very dubious effects, like stealing data stored in cookies for example. But people do get paranoid about these things, and thinks everyone is out to get them, which isn’t true.

    Javascript’s capabilities are solely in the hands of your browser, so if the web page is being granted too much power (Like changing security settings), you should switch to a different browser. Or, as this article so rightly points out, stay up-to-date with your updates, because as better security procedures and safeguards are implemented, better hacks and back doors are found; the best bet is to try and stay one step ahead of them.

    And as for NoScript… Never used it because i’ve never felt a reason to do so; i feel competent enough to judge whether a site is trustworthy and would not allow itself to be compromised (My fault if i’m wrong.). But yes, if a friend asked me: “How can i improve the security of Firefox?”(I don’t know of any NoScript equivalents for the other “major” browsers.), i would recommend it, as by completely denying the code to be executed until explicitly allowed to do so, you will lower your chances of getting any nasty surprises, but you have to remember, there is nothing stopping you allowing something malicious to run.

    …just saying…

    Reply
  5. NOTE: your browser does not appear to have Javascript turned on. Javascript is required in order to post a comment.

    Oh the irony of it…

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.