https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

This was a bit disturbing to read today.  Ebay injects a few javascript connections back to your requesting system, measures a basic socket connection, telling them if the port is open or not, amounting to effectively a local host port scan for specified ports, behind a firewall, from a web page you visited.  They are doing this looking for remote admin applications in fact, rdp, vnc, teamviewer, many others.  Hmm.

So any public website can query any port from visiting a web page, and possibly interact with any sort of local or other api on my system?

I wouldn't think Javascript would be allowed to chain off a host like that, or at least have protections from certain abuse.  I suppose it's valid if linking to another site, but JS/Browsers allowing local random port use like this, seems ebay is probably not the only ones to abuse this in certain ways.  I know you can do some interesting things with websockets, seems chaining  via same methods to remote interact would be trivial.

This is pretty devious actually, I'm both a bit scared for ebay, not to mention all the other sites I "trust", let alone the ones I don't.  Everyone else that just allows pervasively javascript is just hozed.  Which is standard for everyone since javascript existed.

I use noscript pervasively, and whitelist only valid sites.  Ebay is a valid site, didn't think I had to protect myself, but how would you protect against this?  Curious also the take from web dev's on this, other than thanks for the tip.  :)

-mb