I do not really believe in disabling JavaScript, although the ability to control or halt execution would be nice, but you can use an extension to remove it entirely if you want. I say this because the upcoming story talks about vulnerabilities in the NoScript extension, which locks down JavaScript and other, non-static content. By “vulnerabilities”, we mean the ability to execute JavaScript, which every major browser vendor defaults on because they consider it safe for their users on its own.

This is like a five-year-old figuring out how to unlock a fireworks case full of paper crackers.

Regardless, there are two vulnerabilities, both of which have already been updated. Both of them take advantage of the whitelist functionality to ignore malicious code. By default, NoScript trusts a handful of domains, because blocking every script ever would break too much of the internet.

The first problem is that the whitelist has a little cruft, some of which including domain names that are useless, and even some that have expired into the public domain for sale. To prove a point, Matthew Bryant purchased zendcdn.net and used it to serve his own JavaScript. The second problem is similar, but slightly different. Rather than finding a domain that expired, it found some whitelist entries, such as googleapis.com, that had sub-domains, storage.googleapis.com, which is a service that accepts untrusted user scripts (it is part of Google's Cloud Platform).

Again, even though JavaScript is about as secure as you can get in an executable language, you should be allowed to control what executes on your machine. As stated, NoScript has already addressed these issues in a recent update.