JavaScript: Difference between revisions

Line 36:

*Remote code execution. This is used by hackers and crackers to build [[wikipedia:Botnet|bot-nets]] for [[wikipedia:Ddos#Distributed_DoS|DDoS]] or [[wikipedia:Cryptocurrency|crypto]]-mining, but it's mostly used for [[spyware]] since it can hide more easily.

Browser-engine developers (such as [[Google]] and [[Mozilla]]) not only feel compelled, but are economically incentivized to optimize JS to its limits.{{Citation needed}} This leads to complex code-bases that are harder to verify for correctness. Browser vendors mitigate this via [[wikipedia:Sandbox_(computer_security)|sandboxing]]. Unfortunately, since modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance, this introduces a higher risk of sandbox-escape, as the code can more easily find vulnerabilities to manipulate the engine.

JS not only makes pages "dynamic", the language itself is very dynamic, which is hard to optimize by engines. To put into perspective how slow JS can be, someone bench-marked a bloated pure-HTML page and a "simple" React app, the bloated HTML rendered faster.<ref>{{Cite web |last=Leatherman |first=Zach |date=2019-09-06 |title=Which has a better First Meaningful Paint time? |url=https://twitter.com/zachleat/status/1169998370041208832 |url-status=live |archive-url=https://web.archive.org/web/20240529104252/https://x.com/zachleat/status/1169998370041208832 |archive-date=2024-05-29 |access-date=2024-05-29 |website=Twitter/X}}</ref>

==Incidents==

@@ Line 36: / Line 36: @@
 *Remote code execution. This is used by hackers and crackers to build [[wikipedia:Botnet|bot-nets]] for [[wikipedia:Ddos#Distributed_DoS|DDoS]] or [[wikipedia:Cryptocurrency|crypto]]-mining, but it's mostly used for [[spyware]] since it can hide more easily.
 Browser-engine developers (such as [[Google]] and [[Mozilla]]) not only feel compelled, but are economically incentivized to optimize JS to its limits.{{Citation needed}} This leads to complex code-bases that are harder to verify for correctness. Browser vendors mitigate this via [[wikipedia:Sandbox_(computer_security)|sandboxing]]. Unfortunately, since modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance, this introduces a higher risk of sandbox-escape, as the code can more easily find vulnerabilities to manipulate the engine.
+JS not only makes pages "dynamic", the language itself is very dynamic, which is hard to optimize by engines. To put into perspective how slow JS can be, someone bench-marked a bloated pure-HTML page and a "simple" React app, the bloated HTML rendered faster.<ref>{{Cite web |last=Leatherman |first=Zach |date=2019-09-06 |title=Which has a better First Meaningful Paint time? |url=https://twitter.com/zachleat/status/1169998370041208832 |url-status=live |archive-url=https://web.archive.org/web/20240529104252/https://x.com/zachleat/status/1169998370041208832 |archive-date=2024-05-29 |access-date=2024-05-29 |website=Twitter/X}}</ref>
 ==Incidents==