Updated at: Feb 23, 2022
There are three main kinds of security concerns that relate to JavaScript:
and these three concerns are all quite different and actually fairly unrelated to each other.
This concern relates to issues which might exist or be introduced to the actual definition of the JavaScript language itself at some point in the future. JavaScript, and what it can and can't do is defined quite specifically, and the concern with this in regards to security is that one day new features or abilities might be added to JavaScript which cause security problems.
Let me give you a far-fetched example to illustrate: thus far, by definition JavaScript is simply not allowed to read arbitary files off your computer's hard disk (at least without you first giving it permission). In other words, JavaScript on a website can't just open up your personal photos or music on your computer and scan through it all. But one day theoretically the definition of what JavaScript can - ie. "is allowed to do" could theoretically change to allow such a thing.
The designers of the ever evolving JavaScript language definition have shown themselves to be quite thoughtful and security orientated since JavaScript's inception. So changes like the one I just made up would almost certainly never, ever, ever be approved and added to JavaScript. If they even proposed it there would be an enormous backlash from the developer and security communities, so I doubt that something like that would ever even be proposed. But, if we're talking security considerations, this is an (unlikely) way that JavaScript could have issues one day.
You have to remember that even though "most" websites on the internet aren't shady or dangerous, there are ones that are, and those websites need to be prevented from doing horrible things on your computer. It's largely up to the designers of JavaScript to not even make "bad" things possible, as much as they can.
There are already lots of security-orientated restrictions on what JavaScript can't do, and I personally think the JavaScript developers do a good job of keeping things pretty sensible about what it can and can't do.
So, we just discussed in the first point about Security and JavaScript itself - how there is a "specification document" of what JavaScript "is" - how it should work, how code written in JavaScript should run, what is allowed and what isn't, and so on; but this is just a document, its like a dictionary definition of an ideal.
For code written in JavaScript to actually "work", Software Developers - such as the ones who make Chrome, Firefox, or Safari - have to take that specification document and then write their own software implementation (or "Engine") which will then be able to make the JavaScript on websites actually work and do what it's supposed to do.
And this is probably where most real "security concerns" with JavaScript come in.
The risks here are that criminals could write JavaScript that causes one of these JavaScript Engines to do something it's not supposed to be allowed to do. The malicious code might use some kind of "trick" to fool the Engine into doing something it's not supposed to do.
Building a JavaScript Engine that can safely load JavaScript code from websites, run the code, run it efficiently, and not accidentally let bad things happen, is an extremely complicated undertaking. And as with any large and complex undertaking, there are always problems. As well as that, new features are always being added, so it's like hitting a moving target, while at the same time making sure you don't break anything that you've already finished.
The most popular JavaScript Engine is called "V8" - it is developed by the Chromium team, and it is used in all Chromium based browsers: the main ones being Google Chrome, Microsoft Edge, and Brave. Another popular one is called "JavaScriptCore" and is used by web browsers based on WebKit: namely Apple's Safari browser.
Security bugs are found in these JavaScript engines from time to time; but fortunately they are usually fixed quickly, so make sure you update your browser regularly so that you have a web browser that's as safe as possible.
The final area of JavaScript security risks is in the JavaScript code that the different websites write and use themselves. In other words: we've discussed the "rules"/"definition" of the JavaScript language itself, the engines that make JavaScript code work - but the final risk is the way websites program their own JavaScript code.
Problems with JavaScript on a website is the most common aspect of JavaScript security risks. The possiblity is that the developers who made a particular website might have written faulty code for their site. Depending on a number of factors, the effects of these bugs can range from annoyances and functionality not working properly, to code that is actually dangerous or insecure.
There are lots of types of website security vulnerabilities in which JavaScript plays a part in, but we won't discuss them here, because they are not strictly JavaScript vulnerabilites; they are more general types of problems and not just the fault of badly written JavaScript code.
The number one most common JavaScript based security problem is called Cross Site Scripting Attacks.
A Cross Site Scripting Attack is when a website is vulnerable to having malicious code injected into it by a different website. In other words, a malicious website could trick a vulnerable website in to running dangerous code.
This malicious code can then do lots of bad things; it depends on the site, but typically code would try to steal your authentication cookie, or maybe take some kind of site-specific action (eg. Make a purchase using your credit card, etc. Web browsers prevent code from one website from affecting other websites; but if a criminal can find a way to trick a site into including their code on a different site, then they may well end up with "free reign" on the compromised site, and can do lots of really bad stuff.
In terms of JavaScript security risks, this is probably the Number One why people choose to disable JavaScript in their browser.
What is JavaScript and what does it do?
Turn on/activate JavaScript.
What happens if you don't have JavaScript?
What are some of the concerns with JavaScript and security?
Does my browser already have JavaScript or do I have to install it?
Does JavaScript go out of date?
What is the percentage of websites that use JavaScript?
What are the reasons someone would disable JavaScript in their browser?
