How dangerous can JavaScript be?

See http://en.wikipedia.org/wiki/Cross-site_scripting and http://en.wikipedia.org/wiki/Cross-site_request_forgery for examples of how someone with malicious intent can cause problems using JavaScript.

FWIW - I personally don't roll with NoScript as I think it's a major headache. Sometimes you just have to watch where you're browsing and hope for the best.


The reason NoScript even exists in the first place is not necessarily JavaScript per se, but security holes in the browser. In the past Firefox and other browsers have had many security vulnerabilities that have allowed malicious JavaScript to do bad things to a user's system. (In many cases native code could be executed through JavaScript, meaning a website could potentially do anything to your computer.) There is also a possibility of cross-site scripting attacks, like @Eric said.

However, these threats are very few and far between unless you regularly browse shady websites, so whether or not NoScript is worth the hassle is up to you. Personally, I don't find it to be worth it, especially considering that more and more websites require JavaScript to function at all, which means you will constantly be whitelisting scripts or entire domains (and at that point, you're defeating some of the benefit of using it in the first place).