Javascript risks?

Quoth · Today, 05:47 AM

Do ereaders (that have a browser) and apps (all apps, any platform) that support Javascript need a setting that disables it? Or at least by default sandboxes if to only allow resources in the file? Or disable it always in an svg?

Javascript Trojans in svg images

kovidgoyal · Today, 07:50 AM

ebook readers dont share cookies/local storage data with your browser. So unless you have actually logged into facebook or whatever the site in question is using your ebook reader software, this class of attack does not apply. Indeed, I doubt the attack applies even with regular browsers because nowadays most websites implement CSRF and other mitigations for precisely this sort of thing.

Quoth · Today, 08:58 AM

Quote:

Originally Posted by kovidgoyal

ebook readers dont share cookies/local storage data with your browser. So unless you have actually logged into facebook or whatever the site in question is using your ebook reader software, this class of attack does not apply. Indeed, I doubt the attack applies even with regular browsers because nowadays most websites implement CSRF and other mitigations for precisely this sort of thing.

TBH, I'd worry more about some iOS and especially Android epub apps. Many epub Apps I've looked at on Android seem to be rubbish.

Actually a lot of malware / attacks are less dangerous than headlines or reporting suggest. But really 3rd party scripts and especially adverts that use 3rd party scripts are the biggest risk on browsers. I don't block adverts but I do block 3rd party scripts. Chrome / Chromium seems determined to cripple that.

However, someone may get more creative with js in svg.

DiapDealer · Today, 10:01 AM

Not technically an ereader, but Sigil's default behavior is to not allow javascript functionality (nor access all remote resource types) in epubs. The user can then override those two settings in the preferences if they so choose.

Quoth · Today, 11:22 AM

Quote:

Originally Posted by DiapDealer

Not technically an ereader, but Sigil's default behavior is to not allow javascript functionality (nor access to all remote resource types) in epubs. The user can then override those two settings in the preferences if they so choose.

That's good.

Today, 05:47 AM	#1
Quoth Still reading Posts: 14,547 Karma: 108666825 Join Date: Jun 2017 Location: Ireland Device: All 4 Kinds: epub eink, Kindle, android eink, NxtPaper	Javascript risks? Do ereaders (that have a browser) and apps (all apps, any platform) that support Javascript need a setting that disables it? Or at least by default sandboxes if to only allow resources in the file? Or disable it always in an svg? Javascript Trojans in svg images

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
What are the risks of drag/drop and in which cases?	repilo	Sigil	18	09-16-2023 02:04 PM
Are there any risks of information loss when converting formats?	elPedr0	Conversion	3	11-08-2022 02:13 AM
Risks of Leaving Content Server On	Sydney's Mom	Calibre	4	09-25-2016 07:19 PM
Risks of bricking a paperwhite.	Griloz	Kindle Developer's Corner	5	05-05-2013 09:47 PM
RISKS Digest	womar	Recipes	1	02-13-2011 10:00 AM

Today, 07:50 AM	#2
kovidgoyal creator of calibre Posts: 45,494 Karma: 28005164 Join Date: Oct 2006 Location: Mumbai, India Device: Various	ebook readers dont share cookies/local storage data with your browser. So unless you have actually logged into facebook or whatever the site in question is using your ebook reader software, this class of attack does not apply. Indeed, I doubt the attack applies even with regular browsers because nowadays most websites implement CSRF and other mitigations for precisely this sort of thing.

Today, 10:01 AM	#4
DiapDealer Grand Sorcerer Posts: 28,762 Karma: 206758686 Join Date: Jan 2010 Device: Nexus 7, Kindle Fire HD	Not technically an ereader, but Sigil's default behavior is to not allow javascript functionality (nor access all remote resource types) in epubs. The user can then override those two settings in the preferences if they so choose.

Advert

Advert