Javascript is everywhere and apparently can do everything, which is how websites gradually started including it where it doesn't belong. Cross-site scripting , a way for hackers to inject third-party Javascript into target websites and have it executed in any computer browser that visits it, was first noticed in the early 2000s. Now it applies to all sorts of code, but it initially referred to Javascript, so that's the context we'll use it in.

Cross-site scripting or XSS, abbreviated like that because X is much cooler than C, relies on the fact browsers typically check for three things when deciding whether to accept or refuse content: entire web address, name of the host and IP address. All content that matches the same three conditions is treated the same, so XSS finds weaknesses in trusted websites to inject its own code into whatever is being served to the browser. Browsers can fight this in several ways, one of which is sandboxing , or separating every browser tab in its own bubble that can't affect anything else. Sandboxing is the main reason why browsers, Google Chrome in particular, use so much RAM memory.

Even sandboxing might not be enough in the future, as the Row Hammering attack looks at jumping the air gap , the distance between two physically separate components[17] . As technology advances, hardware gets smaller and denser, containing more components in less space. Past a certain point, these components start becoming very sensitive to nearby influences, which is exploited by Row Hammering. A common RAM stick refreshes its state millions of times a second, usually denoted by its frequency in megahertz (MHz). By making these tiny components refresh much faster and with greater coordination than they're accustomed to, Row Hammering induces RAM errors that, with some luck, can be exploited to make the operating system load wrong files and thus malware.

When all you have is electronics, all attack vectors start getting named after hammers. Powerhammer is a way to jump the air gap and send data outside through the power cable[18] in cases where malware is already on the airgapped machine. By precisely timing the workload of a machine, it can be made to draw more or less power, and the outside party can stand by a power service panel to read the fluctuations and receive data at a rate of 120 bytes a second.

An XSS (cross site scripting) attack could look like this – there is a search box on a website. When visitors type in a word, such as “car” or “door”, the website does the search and returns the results. If a piece of Javascript code is searched for, the website, depending on how it's built, goes haywire and can be made to execute the third-party code. On its own, this isn't that scary, but just like we saw with George the catfisher, it's about combining security weaknesses in several related systems that make hacks devastating. If this kind of malformed link pointing to bizarre search results is shared with gullible people – for example, those being catfished on Facebook or Tinder – there is a huge chance someone will fall for it and click the link. Then the rest depends on the code, which can steal cookies, install trojans and so on.

Firefox users can run NoScript, an add-on that allows the user to block some or all Javascript from executing. One nice feature of NoScript is that it lets the user peek under the hood as the page is loading and running to see just how Javascript actually works. Another relevant add-on is called Greasemonkey , an add-on that lets you inject code directly into your browser as you're using it. So, you can write your own code or copy someone's and run it through Greasemonkey to immediately change how websites work and feel on your end, such as changing the background color, zooming in or out, etc.

Google has decided to use Javascript for added security starting November 2018, requiring all users logging into Google services to have Javascript enabled[19] . The idea is that hackers use stripped-down versions of browsers to run hundreds of them at once; these tools would supposedly pick up on that and deny a login, even if done with a proper username and password.

Cookies and Javascript are typically small morsels of data and don't impact browser performance, but an avalanche of both makes the browser grind to a halt, and the dreaded “loading” spinner shows up: you can't click anything, you can't close the tab, go back or do much of anything except hold still or restart the machine. Cookies and Javascript files also fill up the hard drive, which isn't a big deal at first but it all adds up. To make matters worse, this torrent of data hogs your bandwidth, which is usually capped in the US, literally wasting the user's money to ineffectively spy on them. It's not the first time previously glorified technology became a burden, as evidenced by Adobe Flash.