What’s the worst that JavaScript might actually do, based on the sites that are out there?
I'm using NoScript since I barely escaped from being infected by quite sophisticated malware few years ago.
Innocent site (local public transport) had had injected single malicious line into its content management system (most probably after untargeted "fishing for vulnerabilities" botnet scan). This one line was JavaScript include which in turn triggered series of jumps to servers all over the world (mostly China and Russia).
In the process, multiple layers of heavily obfuscated JS code were both loading hidden frames loaded with ads (presumably for click / impressions fraud) and trying to load hidden PDF embeds which contained a payload of hidden executables for infecting your local computer (exploiting Acrobat Reader security holes).
I only found out because Acrobat is such huge resource hog that I noticed and managed to kill it in a task manager before it finished loading.
I was using up-to-date Firefox and up-to-date antivirus AND I had disabled Acrobat plugin.
Upon inspection, malicious code appeared to be cross-platform and multi-target, using vendor specific JS extension. I remember besides Acrobat it was also targeting Silverlight (and this was in time when it was very new technology).
I'm using NoScript since I barely escaped from being infected by quite sophisticated malware few years ago.
Innocent site (local public transport) had had injected single malicious line into its content management system (most probably after untargeted "fishing for vulnerabilities" botnet scan). This one line was JavaScript include which in turn triggered series of jumps to servers all over the world (mostly China and Russia).
In the process, multiple layers of heavily obfuscated JS code were both loading hidden frames loaded with ads (presumably for click / impressions fraud) and trying to load hidden PDF embeds which contained a payload of hidden executables for infecting your local computer (exploiting Acrobat Reader security holes).
I only found out because Acrobat is such huge resource hog that I noticed and managed to kill it in a task manager before it finished loading.
I was using up-to-date Firefox and up-to-date antivirus AND I had disabled Acrobat plugin.
Upon inspection, malicious code appeared to be cross-platform and multi-target, using vendor specific JS extension. I remember besides Acrobat it was also targeting Silverlight (and this was in time when it was very new technology).