Any
JavaScript or
ECMAscript code whose purpose is to do harm to a
Web page's viewer -- most usually, to inhibit him or her from
navigating or leaving a
Web site. In general, a piece of JavaScript code may be regarded as abusive if it overrides the user's control of his/her own browsing.
JavaScript permits a page designer to trap out certain elements of the browser's user interface. A common abuse is to trap out the user's ability to close a browser window, replacing it with a function which opens more windows into the abusive site. This is most common on fake porn sites, which force the user to reload pages of banner ads in an attempt to reap fraudulent advertising revenues for the page's maintainer.
Another, somewhat milder abuse is to deny the user the ability to open a frame of a framed Web page into an independent window. By testing to see if a page has been loaded into a frameset, and refreshing into the frameset if it has not, the page author can force the user to look at pretty sidebars -- or, more often, ugly and flashy ads. SecurityFocus practices this abuse, and for no apparent reason.
Finally, one of the grossest and most unnecessary JavaScript abuses is to test the browser's user agent identity -- basically, its manufacturer and version number -- and to bounce the user from the site if the browser is not a "supported" model. This sort of abuse was popularized by Netscape in the early days of the popular Web, and led to all manner of Web browsers, including Microsoft's Internet Explorer, representing themselves as "Mozilla" in order to ensure their users access to sites that blocked non-Netscape browsers.
Abusive JavaScript has its greatest effect on new users of the Web, as more experienced users have learned to turn off JavaScript in their browser configurations -- either all the time, or at least when accessing potentially abusive sites.