JavaScript

• Browser fingerprinting and tracking
• Exfiltration of sensitive data
• Cross site scripting (XSS)
• Browser key-loggers and clipboard skimming
• Resource theft like cryptomining

• Rogue libraries, supply chain compromise
• Code injection
• Legal exposure for violating international privacy laws

Almost every mechanism to install and run code on your systems involves proper checks to prevent malicious execution. App stores and code repositories at least offer some quality control, code signing and provenance oversight. JavaScript is the exception. It leaves the door wide open to more or less arbitrary code execution. If using a standard browser like Google Chrome or Firefox you download and execute JavaScript thousands of times per day. Mitigations are weak and brittle trust models based on "origins", DNS queries or even IP addresses. Most are opaque to the end user whose data is at risk.

JavaScript is touted as "safe" by some because it is sandboxed. It runs within a browser which is assumed to be isolated from the main system. In practice, sandboxing only allows a certain measure of security. Any sensitive data within the sandbox is at risk. Any misconfiguration or malicious browser plugin can blow a huge hole in your security and expose the full system.

Basic JavaScript hygiene:

• Where possible don't even enable it
• Turn it off by default
• Only run JavaScript when absolutely necessary
• If a site will not function without it, find an alternative
• Use NoScript or a browser that allows per-page control
• Deploy single-use, immutable browser with no persistent memory
• As a developer, don't use it;
  • CSS is now Turing Complete
  • if you're relying on client side you're "doing the web wrong"