JavaScript : Code injection

The application considers the unvalidated user input as the source code. Interpretation and execution of the data from an untrusted source at runtime allows an attacker to execute malicious code in the context of the application.

Many modern programming languages allow dynamic instruction interpretation. This allows the developer to lay in the application a behavior that depends on the user’s actions. Code injection vulnerabilities take the first place in the “OWASP Top 10 2017” web-application vulnerabilities ranking and occur when a developer mistakenly believes that the user will enter only “harmless” instructions. In reality, unvalidated user instructions may be dangerous.

eval() is a dangerous function that executes code that passes with all the privileges of the caller. If you run eval() with strings, you can run malicious code on the user’s device with the rights of your web page / extension. ALso eval(), as a rule, slower alternatives, as it causes the JS interpreter, while many other constructions are optimized with modern JS engines.