JavaScript

JavaScript is a client-side scripting language that can be used to include small programs that are executed when HTML documents are loaded. JavaScript has a history of security problems, most of which involve user privacy issues. Although the majority of these problems have gradually been fixed, new ones continue to be found. The following is an overview of some JavaScript security problems:

• Netscape Navigator versions 4.0 through 4.04 allow JavaScript programs to access browser preferences which contain private information such as the users e-mail address and e-mail password. Reported February 1998[17].
• Internet Explorer 4.0 is vulnerable to a bug which allows any text, image, or HTML file located on a user's computer to be obtained by a remote web site maintainer. This exploit creates a 1x1 invisible frame and executes a JavaScript program to search for well-known files and unknowning to the user upload them to any site on the Internet. Reported October 16, 1997[17].
• Versions of Internet Explorer and Netscape are vulnerable to an exploit that monitors user browsing history and transmits the information to any site on the Internet. Most variants of this exploit create a 1x1 invisible frame that executes a JavaScript program that continuously monitors user activity. The gathered information can be sent to any Internet site. This bug turns out to be difficult to fix and therefore almost all browsers are vulnerable. Reported August 29, 1997[17].
• JavaScript programs can trick Netscape into uploading any known local file on the user's computer to a remote site. This bug exploits a flaw in Netscape forms. Recent versions of Netscape fix this problem. Reported June 25, 1997[17].
• Early versions of Netscape JavaScript can send e-mail messages without the user's knowledge. This exploit can also be used to obtain user e-mail addresses. Reported in Netscape 2.0[17].