The new version of NoScript, the popular browser add-on that blocks JavaScript and other embedded objects from running on Web pages, is out in alpha form and it can now run on Android-based smartphones, giving users protection against script-based attacks on their mobile devices.
The release of NoScript Anywhere includes a variety of new features, but it’s the support for Firefox Mobile that is the big attraction. The add-on for Android devices is meant to mimic the desktop version, giving users the ability to set permissions for each individual site and use a default policy for restricting content. NoScript also now includes an anti-clickjacking feature and an anti-XSS filter designed to protect users from cross-site scripting attacks. The new version also works on Maemo-based phones and tablets.
“The mobile-focused UI is focused on making ‘normal’ usage as easy as it is now in NoScript at least, whereas more advanced options (per-site granular permissions, hierachical permissions depending on the hosting page and so on) will be available in the desktop UI and synchronizable with mobile device via Firefox Sync,” the release notes for the add-on say.
JavaScript and other kinds of embedded content on Web pages often is used by attackers in various attack scenarios to either redirect users to a malicious site or to exploit a vulnerability in the user’s browser to install malware. Often, these attacks are executed by compromising a group of legitimate Web sites and then placing malicious JavaScript on the site. That code will then automatically redirect users to another site where malware is hosted. This is the kind of technique that’s being used in many of the mass SQL injection attacks that have been going on for a couple of years now.
NoScript by default will block JavaScript on any site that users visit, but they have the ability to set granular permissions for each individual site to allow scripts on certain pages. Users of the new version, which now can be installed without restarting the browser, can take these permissions even further.
“Furthermore, while the in-page permission UI has been greatly simplified and optimized for touchscreen consumption, NoScript for Mobile In-Page Permissions UI the underlying engine has been redesigned to allow deep per-site customization at the single permission level (e.g. making Flash permanently work by default on site X but not on site Y, even if JavaScript is allowed on both, or causing restrictions on a certain embedded object to depend on its parent page’s address),” NoScript developer Giorgio Maone wrote in a blog post about the release of NoScript Anywhere.
