Google Wants to Change JavaScript Popups After Abuse from Tech Support Scammers

Share this…

Chromium engineers are discussing plans to change how JavaScript popups work inside Chrome and other similar browsers.

In a proposal published on the Google Developers portal, the Chromium team acknowledged that JavaScript popups are consistently used to harm users.

While JavaScript popups have been used to redirect users to malware downloads, these intrusive dialogs have often been the central point of web-based scareware operations, also known as tech support scams.

The problem lies in the fact that JavaScript popups often block access to the entire browser, unless the user manually dismisses the popup.

In many cases, crooks have constructed endless loops of JavaScript that keep users on shady websites. These tactics are known as “browser lockers,” and work similarly to ransomware, albeit they’re easier to remove and don’t result in any data loss due to encryption.

Chrome JS popups to work on a per-tab basis

To combat this threat, Google engineers say they plan to make JavaScript modals, like the alert(), confirm(), and dialog() methods, only work on a per-tab basis, and not per-window.

This change means that popups won’t block users from switching and closing the tab, putting an end to any overly-aggresive tactics on the part of the website’s owner(s).

A similar change was made to Safari 9.1, released this week. Apple’s decision came after crooks used a bug in Safari to block users on malicious pages using popups. Crooks then tried to extort payment, posing as ransomware.

Google has debated the change since July 2016

There is no timeline on Google’s decision to move JavaScript popups to a per-tab model, but Chromium engineers have been debating this issue since July 2016 as part of Project OldSpice.

In the meantime, Google is asking web developers to ponder using new technologies as alternatives to the classic alert(), confirm(), and dialog() functions. The list includes:

  • Notifications API – for notifying the user of events (e.g. calendaring sites)
  • HTML < dialog > element – for obtaining user input
  • Devtool’s console.log(document.origin) – for XSS proofs-of-concept

“Because of these changes, if your site uses dialogs, it is highly recommended that you move to using the earlier-mentioned alternatives so that this will not affect you,” Google engineers said. “The Chromium team highly recommends that you not use JavaScript dialogs.”