[CentOS] C5 : Firefox 38 bug

Fri Jun 12 17:57:08 UTC 2015
Jonathan Billings <billings at negate.org>

On Sat, Jun 13, 2015 at 10:55:47AM -0600, jd1008 wrote:
> The most offensive problems of using browsers is that
> they do not tell you nor ask your permission when javascripts
> spy on your entire storage contents.

Huh?  You've been misinformed.  Certainly there have been exploits
against browsers to bypass the sandbox, but this isn't the default
configuration in any browser I know of.

> I had asked a java developer at Sun Microsystems about
> what Sun means when it says that Java runs in a sandbox?
> Just what is the sandbox?
> I also asked if browsers that execute javascripts are retricted
> to this notion of a sandbox that does not leak out into
> the rest of the system.
> He said the "sandbox" is the entire storage on your computer.

Java != JavaScript.  It's a common misconception.  Perhaps that's why
this java developer might have answered the way he did, although I'm
fairly certain Java sandboxes can also be restricted (although I'm no
Java developer) so they don't have access to the entire storage of
your computer.  Certainly, simple UNIX permissions prevent both Java
and browsers from getting access to the *entire* storage on your
computer, unless they're used to exploit some other vulnerability.

If you're concerned about JavaScript, I suggest looking into the
NoScript firefox extension. 

Jonathan Billings <billings at negate.org>