Before we start: JavaScript is dangerous. It runs code directly in your browser, can track you, can exploit vulnerabilities, and runs on nearly every website you visit. That's why Tor Browser bundles NoScript. That's why security researchers warn against it.
That said, JavaScript is everywhere. You can't avoid it entirely. So here's how it works—so you can understand what websites are doing to your browser.
The Risk
When you enable JavaScript, you're letting any website run arbitrary code on your machine. They can:
- Track your movements across sites (fingerprinting)
- Exploit browser vulnerabilities
- Run cryptomining scripts
- Load tracking pixels
- Access clipboard, local storage, and more
NoScript blocks JavaScript by default. You can also disable it in Firefox via about:config by setting javascript.enabled to false.
Some websites work fine without JavaScript. E-commerce, social networks, email—they exist that work entirely without it. You'll find them sometimes when browsing with NoScript on "safest" mode in Tor Browser.
What Does JavaScript Do?
HTML builds the structure. CSS makes it pretty. JavaScript makes it do things—sometimes things you didn't ask for.
Dropdowns. Animations. Form validation. Data fetching. But also: tracking scripts. Fingerprinting. Exploits.
Variables: Where Stuff Lives
let name = "cjboon";
const PI = 3.14159;
var oldWay = "don't use var";let = can change. const = locked. var = old way, avoid it.
Data Types
let text = "hello"; // string
let num = 42; // number
let bool = true; // boolean
let arr = [1, 2, 3]; // array
let obj = {a: 1}; // objectArrays store lists. Objects store structured data. Everything's mutable by default—which is part of the danger.
Functions: Running Code
function greet(name) {
return "Hello, " + name;
}
const add = (a, b) => a + b;Functions are reusable code. But every function you run is more attack surface.
Conditionals: Making Decisions
if (age >= 18) {
console.log("You can vote!");
} else {
console.log("Not yet.");
}The logic is simple. But websites use conditionals to make decisions about what to track, what to load, what to hide.
Loops: Repeating Stuff
for (let i = 0; i < 5; i++) {
console.log(i);
}
const fruits = ["apple", "banana"];
fruits.forEach(fruit => console.log(fruit));Loops process data. They can also iterate through everything you've typed, every form field, every element on the page.
DOM Manipulation: Touching The Page
const btn = document.querySelector('#myButton');
btn.addEventListener('click', () => {
alert('Clicked!');
});
document.getElementById('output').textContent = 'New text';This is what makes sites interactive. But also what lets scripts modify content, read form inputs, and intercept clicks.
Fetch: Getting Data
fetch('https://api.example.com/data')
.then(res => res.json())
.then(data => console.log(data));
async function getData() {
const res = await fetch('https://api.example.com/data');
const data = await res.json();
console.log(data);
}Fetch sends requests to servers. Sites use this to load content dynamically—and to send data about you to third parties.
The Bottom Line
JavaScript isn't going anywhere. But you should:
- Use NoScript or similar extensions
- Disable JavaScript in browser when you don't need it
- Use Tor Browser with "safest" settings for sensitive browsing
- Understand what websites are doing with your browser
- Support sites that work without JavaScript
Learn JavaScript if you must. But use it sparingly. Trust nothing running in your browser.