We all – except Node.js people and those that want JavaScript to control nuclear power plants – have seen it coming:

„JavaScript is evil“

Stallman Anti-JavaScript rant: https://www.gnu.org/philosophy/javascript-trap.en.html

(i think he complains more about, that most JavaScripts don’t come with a licence)

Intranet use – okay – Internet/Web-use – not okay.

Any page that does not render it’s content text/pictures properly without JS SUCKS!

Do i hate JS?

partly. For me it always felt „sluggish“, slow and unreliable – one browser does JS it better/faster or not at all than others on the other side it makes the web more alive more animated more vibrant more interesting – but also more annoying.

JS is a security problem:

The lesser problem: nasty popups, hidden windows in the background, spying and privacy problems: some viruses you can get simply by visiting a website with an outdated OS/browser and JavaScript enabled.

Not only – does it seem possible to do side-channel attacks (super mega slow but possible) on intel cpus with out of order execution e.g. theoretically read browser passwords from a firefox web client.

Conclusion: if you build platforms – and you can avoid JavaScript? do it.

„In this paper, we presented Rowhammer.js, an implementation of the Rowham-
mer attack using fast cache eviction to trigger the Rowhammer bug with only
regular memory accesses. It is the first work to investigate eviction strategies to
defeat complex cache replacement policies. This does not only enable to trigger
Rowhammer in JavaScript, it also benefits research on cache attacks as it allows
to perform attacks on recent and unknown CPUs fast and reliably. Our fully
automated attack runs in JavaScript through a remote website and can gain
unrestricted access to systems. The attack technique is independent of CPU
microarchitecture, programming language and execution environment.
The majority of DDR3 modules are vulnerable and DDR4 modules can be
vulnerable too. Thus, it is important to discover all Rowhammer attack vectors.
Automated attacks through websites pose an enormous threat as they can be
performed on millions of victim machines simultaneously“

src: Gruss, D., Maurice, C., Mangard, S.: Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript. In: Proc. of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2016)

JavaScript security defeats TOR Browser + NoScript plugin:

i guess an update will fix that?

Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript ‚Safest‘ security level (supposed to block all
JS).

PoC: Set the Content-Type of your html/js page to „text/html;/json“ and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.

src: https://twitter.com/Zerodium/status/1039127214602641409

possible solution?

So maybe the solution is to allow only to run JS on sites/servers/intranet that you 100% TRUST and explicitly allowed on a whitelist.

And those intranet sites and servers are shielded against hacks/viruses and someone altering your code.

admin