Keyloggers and other malware can be installed via a web page script which exploits a browser vulnerability. The program will automatically be launched when a user visits an infected site. Compromising a browser is relatively easy, and it is cross-platform, hence an often chosen target.

  • BeEF & other browser exploits, when not using browser vulnerabilities, rely on javascript.

  • Phishing (and therefore browsing) is one of the most low cost attack vectors in systematic attacks and data theft, with all of its consequences. Safer browsing is a good investment all around.

  • The way in which browsers are configured (especially the browser plugins used), together with details of the Operating System in which the browser runs, allows its users to be uniquely identified and tracked.

  • Third-party cookies are going extinct now that many browsers block third-party cookies, but that doesn’t mean Google (and others) will respect our privacy. Google started an experiment called Federated Learning of Cohorts (FLoC). It runs in Google’s Chrome browser and tracks a user’s online behaviour.

Plus that browsers (for performance reasons) prefetch exposing users to more security risks by downloading more pages, or from un-requested sites (additionally compounded as drive-by downloads become more advanced and diverse).