Popup windows and ads have been with us for a long, long time. Thanks to browser extensions like AdBlock and the browsers’ own anti-popup functionality, this is not something we need to worry about most of the time.
What’s more worrying are the following malicious behaviors:
CSRF: CSRF stands for Cross Site Request Forgery. CSRF does require the attacker to know its victim sites very well, and rely on the fact that the victim is in an authenticated session. It exploits the assumption that the browser accessing a particular website can be trusted.
This means, often with help from XSS, if you visit the wrong link or happen to load a page that contains an ad with bad scripts, the attacker owns your credentials for as long as you’re logged in. If, for example, you’re logged into Facebook, and you visit a site which contains a CSRF attack, then that site can run code that takes advantage of your existing session with Facebook to forge requests that paste something in your profile. That something may be a message with, “Oh hey! Check out this awesome video I just found!” linking to that scammy website, which in turn compromises your friends’ accounts. Worse, it may try to change your password and email address to steal your credentials. Facebook no doubt has measures now in place to prevent such instances, but more often than not, security is implemented as a countermeasure after the fact rather than a preventative policy. (As for the past? Well, just do a search for CSRF or XSS attacks and your favorite websites to see the depressing history.)
Another option, if you have a machine that meets minimum requirements, is to use a virtual machine in place of your browser. VMWare Player is a free software that lets you run another operation system within your current setup. Linux is a free and popular option, and the vmware site should have plenty of free images for you to use. The virtual machine is a sandboxed environment so that even if you visit a virus-ridden site, only the virtual image is corrupted. The rest of your machine is safe. There is some inconvenience in this, as you must run the virtual machine to boot up a second operating system. However, the advantage is that if that virtual machine is corrupted, you can simply delete it, roll back, or re-image it so that it’s clean and untainted without disrupting the rest of your system. I’ve used a virtual machine to browse sites when I know it’s likely to be a dangerous site – e.g. when I’m examining the links in a phishing email.