Mozilla Firefox offers a more secure Internet browsing
experience, with the NoScript extension providing extra protection.
Follow our tips and take advantage of tools to stay safe whenever
The NoScript Firefox extension provides extra
protection for Firefox, Flock, Seamonkey and other Mozilla-based
Flash and other plug-ins to be executed only by trusted websites of
your choice (e.g. your online bank), and provides the most powerful
anti-cross-site scripting (XSS) protection available in a
Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in Web applications by injecting HTML
code and client-side scripts. An exploited cross-site scripting
vulnerability can be used by attackers to by-pass access controls
such as the same origin policy.
Vulnerabilities of this kind have been exploited to craft
powerful phishing attacks and browser exploits. As of 2007,
cross-site scripting carried out on websites were roughly 80% of
all documented security vulnerabilities. Often during an attack
"everything looks fine" to the person who may be subject to
unauthorized access, theft of sensitive data and financial
A spammer could capture your password and other information you
believe is protected. You should also be concerned because
malicious scripts can be used to expose restricted parts of your
organization's local network (such as their Intranet) to attackers
on the Internet.
Some Web browsers contain vulnerabilities in the security
systems that determine what access a script should have to your
computer or other Web sites. In the case of these cross-zone or
cross-domain vulnerabilities, a malicious script could download and
install arbitrary software on your computer, or read/ modify data
on another Web site.
Malicious scripts can also alter the appearance of a browser,
making social engineering or "phishing" attacks more successful.
For example, a malicious script might open a browser window outside
of the visible screen area or cover the address bar with a spoofed
Cross-site request forgery (CSRF (Sea-Surf) or XSRF), also known
as a one-click attack, sidejacking or session riding, is a type of
malicious exploit of a website whereby unauthorized commands are
transmitted from a person that the website trusts. Unlike
cross-site scripting (XSS), which exploits the trust a person has
for a particular site, cross-site request forgery exploits the
trust that a site has for a particular person.