gear icon.

Safe Browsing with Firefox and NoScript

Mozilla Firefox offers a more secure Internet browsing experience, with the NoScript extension providing extra protection. Follow our tips and take advantage of tools to stay safe whenever you're online.

Operating System: All

Applies To: UB students, faculty, staff, alumni, retirees and volunteers

Last Updated: September 9, 2016

What is NoScript?

The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other Mozilla-based browsers. This free, open source add-on allows JavaScript, Java, Flash and other plug-ins to be executed only by trusted websites of your choice (e.g. your online bank), and provides the most powerful anti-cross-site scripting (XSS) protection available in a browser.

What if My Web Browser is Exposed to a Malicious Script?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications by injecting HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to by-pass access controls such as the same origin policy.

Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the person who may be subject to unauthorized access, theft of sensitive data and financial loss.

Cross-Site Scripting (XSS)

A spammer could capture your password and other information you believe is protected. You should also be concerned because malicious scripts can be used to expose restricted parts of your organization's local network (such as their Intranet) to attackers on the Internet.

Some Web browsers contain vulnerabilities in the security systems that determine what access a script should have to your computer or other Web sites. In the case of these cross-zone or cross-domain vulnerabilities, a malicious script could download and install arbitrary software on your computer, or read/ modify data on another Web site.

Malicious scripts can also alter the appearance of a browser, making social engineering or "phishing" attacks more successful. For example, a malicious script might open a browser window outside of the visible screen area or cover the address bar with a spoofed address.

Cross-Site Request Forgery

Cross-site request forgery (CSRF (Sea-Surf) or XSRF), also known as a one-click attack, sidejacking or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a person that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a person has for a particular site, cross-site request forgery exploits the trust that a site has for a particular person.

Still need help?

Contact the UBIT Help Center.