JavaScript security leaks?

From: Charles Sullivan (cwsulliv_at_triad.rr.com)
Date: 02/25/05


Date: Fri, 25 Feb 2005 17:55:41 GMT

When browsing a website with JavaScript enabled in the
browser (Firefox, Opera), what information about my
system can be returned to the website by JavaScript?

I've seen the scam sites which display the contents of the
current directory and purport that they are being returned
to the website. But I've been told they are just displayed
locally and aren't really returned to the website.

However this site _looks_ legitimate:
  http://www.auditmypc.com

When the "What's my IP" menu item is selected it displays
the internal network IP of my PC, which is behind a router.
(It isn't displayed if I disable JavaScript in the browser.)

If the internal IP is in fact actually returned to the
website, what other information might JavaScript reveal?

(I'm running PCs under Red Hat 9, Fedora Core 2, and
Windows XP in a network behind a Linksys WRT54G router.
Firewalls are configured for the router and on each
individual PC.)

Regards,
Charles Sullivan