[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : JavaScript Vulnerability

Title: JavaScript Vulnerability
Released by: CERT
Date: 8th July 1997
Printable version: Click here

Hash: SHA1


CERT* Advisory CA-97.20

Original issue date: July 8, 1997

Last Revised: September 30, 1997

              Updated copyright statement

              A complete revision history is at the end of this file.

Topic: JavaScript Vulnerability

- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of a vulnerability in

JavaScript that enables remote attackers to monitor a user's Web activities.

The vulnerability affects several Web browsers that support JavaScript.

The vulnerability can be exploited even if the browser is behind a firewall

and even when users browse "secure" HTTPS-based documents.

The CERT/CC team recommends installing a patch from your vendor or upgrading

to a version that is not vulnerable to this problem (see Section III. A).

Until you can do so, we recommend disabling JavaScript (see Section III.B).

We will update this advisory as we receive additional information.

Please check our advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     Several web browsers support the ability to download JavaScript programs

     with an HTML page and execute them within the browser. These programs

     are typically used to interact with the browser user and transmit

     information between the browser and the Web server that provided the


     JavaScript programs are executed within the security context of the page

     with which they were downloaded, and they have restricted access to other

     resources within the browser. Security flaws exist in certain Web

     browsers that permit JavaScript programs to monitor a user's browser

     activities beyond the security context of the page with which the

     program was downloaded. It may not be obvious to the browser user that

     such a program is running, and it may be difficult or impossible for the

     browser user to determine if the program is transmitting information

     back to its web server.

     The vulnerability can be exploited even if the Web browser is behind a

     firewall (if JavaScript is permitted through the firewall) and even when

     users browse "secure" HTTPS-based documents.

II.  Impact

     This vulnerability permits remote attackers to monitor a user's browser

     activity, including:

        * observing the URLs of visited documents,

        * observing data filled into HTML forms (including passwords), and

        * observing the values of cookies.

III. Solution

     The best solution is to obtain a patch from your vendor or upgrade to a

     version that is not vulnerable to this problem. If a patch or upgrade is

     not available, or you cannot install it right away, we recommend

     disabling JavaScript until the fix is installed.

     A. Obtain and install a patch for this problem.

        See Appendix A for the current information from vendors. We will

        update the appendix when we receive further information.

     B. Disable JavaScript.

        Until you are able to install the appropriate patch, we recommend

        disabling JavaScript in your browser. Note that JavaScript and Java

        are two different languages, and this particular problem is only with

        JavaScript. Enabling or disabling Java rather than JavaScript will

        have no effect on this problem.

        The way to disable JavaScript is specific to each browser. The

        option, if available at all, is typically found as one of the Options

        or Preferences settings.


Appendix A - Vendor Information

Below is information we have received from vendors.  We will update this

appendix as we receive additional information.



  For more information please refer to the HEWLETT-PACKARD SECURITY

  ADVISORY "Security Advisory in Netscape shipped with HP-UX",

  Document ID: HPSBUX9707-065.

  User your browser to get to the HP Electronic Support Center page:


               (for US, Canada, Asia-Pacific, & Latin-America)

          http://europe-support.external.hp.com (for Europe)

  Click on the Technical Knowledge Database, register as a user

  (remember to save the User ID assigned to you, and your password),

  and it will connect to a HP Search Technical Knowledge DB page.

  Near the bottom is a hyperlink to our Security Bulletin archive.

  Once in the archive there is another link to our current

  security patch matrix. Updated daily, this matrix is categorized

  by platform/OS release, and by bulletin topic.

IBM Corporation


  Netscape for IBM's OS/2 Operating System is vulnerable. The vulnerable

  version and the patched version are both 2.02. The latest version is

  available from http:// www.internet.ibm.com/browsers/netscape/warp

  To tell if you need to download and reinstall, open the Netscape folder on

  the OS/2 desktop. Click on the icon marked "Installation Utility." When the

  "Installation and Maintenance" program starts, make sure "02.02.00 Netscape

  for OS/2" is highlighted and hit control-S. On the product status panel that

  opens up, highlight "Netscape Navigator" and then press the "Service Level"

  button next to it. Ignore the install date -- that's the date Navigator was

  installed.  If "Level" is not "000004" or later, you should download

  Netscape Navigator for OS/2 from the above mentioned URL and install it.



  Microsoft Internet Explorer 3.* and  4.* are vulnerable.  Microsoft has

  announced their patch plans for this problem at:




  Netscape Navigator/Communicator versions 2.*, 3.* and 4.* are vulnerable.




  for details.

- -----------------------------------------------------------------------------

The CERT Coordination Center thanks Vinod Anupam of Bell Labs, Lucent

Technologies, for identifying and analyzing this problem, and vendors for

their support in responding to this problem.

- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident Response

and Security Teams (see http://www.first.org/team-info/).

CERT/CC Contact Information

- ----------------------------

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890


Using encryption

   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.

   Location of CERT PGP key


Getting security information

   CERT publications and other security information are available from



   CERT advisories and bulletins are also posted on the USENET newsgroup


   To be added to our mailing list for advisories and bulletins, send

   email to


   In the subject line, type

        SUBSCRIBE  your-email-address

- ------------------------------------------------------------------------------

Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------

This file: http://info.cert.org/pub/cert_advisories/CA-97.20.javascript


               click on "CERT Advisories"


Revision history

Sept. 30, 1997  Updated copyright statement

Sept. 17, 1997  Appendix A - updated Netscape's URLs

                Updated our copyright statement

July 28, 1997   Appendix A - added information for Hewlett-Packard and IBM.

                Section III.A - slight wording change.

July 14, 1997   Section III.B - fixed a typographical error.

July 11, 1997   Updated Appendix A with vendor information

                for vulnerable browers.


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.