In the past (our full Omnibus), we have covered many problematic corporations for their privacy invasion, harvesting and selling of our data and we even mapped our current situation to 'Orwell's Blueprint'. Metadata, and its misuse, is a major concern for many of our readers, but JavaScript is probably not something that many people are aware off nor concerned about...and why should they be? It's not an evil capitalist entity, it's a piece of code (that drives the majority of all websites!).

You've heard of NSO Pegasus and how links can easily be sent which can take information from your phone. This was highlighted on iMessenger and WhatsApp but can really happen on any messenger out there. This can also happen with your email app or by visiting a website. Most people believe that all is good as long as don't click links from people that you don't recognize. However, thanks to JavaScript, you do not need to click these links, they only need to be seen, and the rest happens in the background inside your device.

Unfortunately, a VPN or TOR cannot help protect yourself from most common vector and malware infections.

JavaScript is used on around 95% of the entire web, as it makes it easy for developers to create apps and websites that render, function, refresh etc. on all platforms and devices, regardless of whether they're mobile, iOS, Android, Microsoft, Linux, or macOS. It is used for dynamic content, meaning things like showing you relevant links on a video you are watching, refreshing the site during scrolling (endless scrolling etc.).

This all sounds great at first, but consider that Google, for example, also monitors your browsing and scrolling habits with this method. It gives data brokers identifiers about you, like screen resolutions, location, network time, system fonts, your typing style, what and how you scroll and adjust content regardless for your “needs”. Basically, it creates a real life identity, regardless of the operating system you are on and what apps you are using. JavaScript will also be able to see if you have multiple tabs open, or use an app in split screen, for example on your iPad or desktop.

This also means that JavaScript is your weakest link. In other words, you can have great passwords, perhaps even using a password manager, use Signal or any other encrypted messengers and yet because of JavaScript a hacker can have access to this data...even TOR users can be de-anonymised with JavaScript.

Remember, it is not Google Search, Facebook App and co. alone who track you but every news site, every blog, everything you do online has 3rd party trackers enabled. They all collect your information and link them over JavaScript. About 60% of your content is delivered by your browser, rendered using 3rd party JavaScript. The issue here is that you have no idea who these 3rd parties are or what they are doing on your device. It is like you're installing an app every time you visit a website. Consider that 92% of websites have data exposed to at least 20 3rd parties on average, many data breaches and stolen credentials are collected and shared over these 3rd parties.

Thankfully, you can use much of the internet without JavaScript. This doesn't mean Google, Apple, Facebook and co. won't be able to track you any more, but it will limit much of the tracking and identifiers they are using. They can still see what browser you are using, and what IP address your browser is using, but it limits them from profiling pretty much everything else on you.

97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack, which is basically a cross-site scripting (XSS) attack, mostly used to copy users cookies and credentials and can be used by a hacker later on to impersonate the user. These attacks stay intact even if you update your device and are otherwise careful about securing your devices.

Once more, JavaScript is your weakest link in being attacked. It costs almost nothing to attack a target or multiple targets, and it's highly effective. However, the same way you can be attacked involving no cost, you can actually defend yourself by simply disabling JavaScript. Most browsers will have the option under security settings and let you disable JavaScript entirely.

The downside is that some website won't function correctly, Twitter, for example, will tell you have JavaScript disabled (gee, thanks!), some apps won't let you log in. However, you can whitelist specific websites or allow for one-time use. When you visit a website you can then click 'enable JavaScript' or with an add-on like NoScript or uBlock Origin which let you select the specific script you want to allow. In other words, you can allow JavaScript on the websites you visit, but keep 3rd parties off.

An example on Android Bromite/Vanadium browser:

On Safari macOS you can disable JavaScript in Preferences:

In Safari settings on your iPhone and iPad you have the same option under Advanced:

On NoScript, for example, you can allow JavaScript temporarily or permanently on a website. Some people feel overwhelmed with NoScript or uBlock Origin, but I highly recommend using it.

The Brave browser has, in Shield settings, an option to block or allow scripts (even once). An easy and confident way to block and allow JavaScript. Even if I am not a fan of Brave, it has the most user-friendly interface for handling these problems in a fast and easy fashion.

Never forget, it is your security, your identity at stake and it can be easy to exploit when JavaScript is on, so do yourself a favour and block it, unblock (as needed), most websites will work with JavaScript off. Believe me, most websites will work even better, as they can't pull countless scripts you would usually see.

From ads to “recommendations” and most of all they won't be able to profile you the way they shouldn't do in the first place. Your data is worth so much more than you imagine, so it is your right to keep it to yourself.

Apple has a 'great' slogan: "What happens on your iPhone, stays on your iPhone". It is a total great slogan which means nothing as Apple's 'Closed Garden' tracks you for their needs, but with JavaScript off, it is more likely that what happen on your device, does indeed, stay on your device!

Stay Safe!

EXPOSED! will now appear on Fridays

Reference Link

EXPOSED! All episodes (bar 1) to December 2021 - Omnibus 7 - #EXPOSED! All episodes (bar 1 ?!?) from inception to December 2021 - Omnibus No. 7 #privacy, #corruption
We publish a daily dose of decentralization here every day (UTC+8), for additional daily updates follow us on Mastodon, Twitter, Telegram or Element(Matrix). Please like & share all our output. We rely on User-Generated Content so why not write for us and since we try to avoid ads and sponsorship, why not donate to help us continue our work - all major cryptos accepted. You can contact us at and at
Share this post