How to overcome Safari hijacked by a JavaScript warning

NewSafariIconXWhether it is from clicking on spam or otherwise being caught in a malicious trap, every now and then such oversights when browsing the Web can have you inadvertently load phishing or spam pages that attempt to pull ransomware attacks on you. When this happens, you will see a warning window claims your browser has been locked and you will have to pay a fee or give them information to release it.

This issue is a common scam done by way of a Javascript loophole. In most cases, javascript alerts are issued once when a developer needs to inform you of an error or other detail, and when you click “OK” or “Cancel” the alerts go away. However, by simply implementing the alert in a loop, a a developer can make it so the message displays repeatedly, locking out all other functions of your browser and making it appear as if they really have locked your browser.

These phishing attempts usually are presented on top of a fake FBI or other government Web site, to help legitimize the scam.

Furthermore, because Apple uses Resume features in OS X that preserve an application’s opened documents and window locations, if you force-quit Safari and then reload it, the page may load again and resume this frustrating behavior.

Safari does have some hidden developer options that can stop the execution of JavaScript on a page, but unfortunately they require you dismiss all alerts before you can use them, and when alerts are in a loop, they will reappear too fast.

Infinite JavaScript alert in Safari

This demo page shows such an alert in a loop that will repeat indefinitely. When this happens, note the page’s address, as this will be useful for clearing the alert.

This leaves you with two approaches for managing these situations:

Force-quit the Safari Web process that is hosting the page

Unlike other browsers in OS X, Safari hosts pages in separate running processes on your Mac. This makes them effectively be separate applications that will appear as such in OS X’s Activity Monitor utility. To identify the problematic Web page, make a note of its title and URL address, and then do the following in Activity Monitor:

  1. Choose “All Processes” from the View menu.
  2. Search for “Safari Web Content” in Activity Monitor’s search field.
  3. Click on the Process Name column title to sort listings by this field so they won’t jump around in your view.

With this done, if you cannot see the URL of your Web page listed, then hover your mouse over each Safari Web Content process to see a list of the URLs represented by it. Once you have located the URL for the page that is giving you problems, select that Web Content process and use the “X” button in the toolbar to force it to quit. You should now be able to dismiss the JavaScript alert and close the page that is causing it.

Safari Web Content processes in Activity Monitor

In Activity Monitor you can see the Web page’s URL as the name of the corresponding Web Content process. If not, you should be able to hover your mouse over each process to see a tooltip list of the URLs that process represents.

Remove Safari’s saved state

A second approach for this requires you force quit Safari and then clear out its saved windows so they will not re-load when you next launch the program. This approach is a little more intrusive on your workflow, but is a good way to prevent any unwanted pages from being loaded when you next open Safari:

  1. Press Option-Command-Escape and use the force-quit dialogue to close Safari.
  2. In the Finder, hold the Option key and choose Library from the Go menu.
  3. Go to the Saved Application State folder in the Library.
  4. Locate and remove the folder called “com.apple.Safari.savedState.”

Now when you launch Safari, none of your previous windows will appear, and you can manually re-open any pages you had open previously.

13 thoughts on “How to overcome Safari hijacked by a JavaScript warning

  1. Willard Wood

    This happened to me yesterday. It took a lot of time to fix this when I finally got connected to Apple Support in Columbia SC. She said they had been talking to the hackers about this issue. My question is Why are the hackers NOT in jail.

    Reply
    1. Toni

      why? They are probably in another country, where US laws mean nothing. The majority of these scams are foreign based. Our laws can’t touch them.

      Reply
  2. ADeweyan

    I despise the autoresume feature, and this is one reason why it is a mistake to make it the default operation. I have the feature turned off, of course, but when Safari (or my Mac) crashes, that setting is ignored and when I restart, the windows begin reloading (including the one that caused the crash).

    In the time since they introduced this feature, I think there was one single time it worked out to be convenient for me. EVERY OTHER TIME, I end up having to close the windows as Safari tries to open them.

    Reply
  3. Ben

    Or just turn off you wifi before you reopen safari. Close the offending tab and turn wifi back on. No tab loss.

    Reply
    1. Topher Kessler Post author

      This may work in some cases, but may not be easily doable if you have multiple windows open and only want to close the offending one. Upon reopening, you may have a hard time determining which one is the culprit.

      Reply
      1. Tara Kapali

        This is the first method I use… There are two good things about this method: First, it requires almost no knowledge of OS or other programs (ie, like using cmd this or opt key that, or Activity Monitor. Which, I think, is a whole new ball game and could cause more problems in a layman’s hands) and; Second, it is universal and will work for any other browser too! And although you’re reply is correct that it could be hard to identify which window to quit I haven’t noticed a problem since it’s usually the last window you’ve opened and so it sort of obvious.

        Reply
  4. B. Jefferson Le Blanc

    I use the JavaScript Blocker extension in Safari – and keep it up to date. I have not (yet) run into the problem described in the article. This could be because I’ve been lucky, careful enough – I don’t open dubious e-mails or click on the links therein, or because JSB has prevented a JavaScript loop from capturing my browser. My money is on JSB, but I don’t know for sure if it is what has been protecting me. In any case, I recommend this extension to anyone concerned about JavaScript exploits.

    I would also welcome any verification or contradiction of JavaScript Blocker’s efficacy with this issue.

    Reply
    1. Topher Kessler Post author

      If polyps are recurring then try resetting Safari (use the options in the Safari menu for doing so) and if they continue to pop up, then use a program called adwaremedic (from malwarebytes) to scan for and remove malware from your Mac that might be at the root of the popups.

      Reply
  5. Pia

    can you turn off your mac and then turn it back on? would this solve the pop-up warning? I have gotten the “stay on the page” and “leave this page”. If I clicked “leave this page” do I have a trojan or virus?

    Reply
  6. Alex

    I force quit safari, turned off my wifi, and opened safari. I then closed the most recent page when it failed to load. That worked perfectly and I kept all my pages.

    Reply

Leave a Reply to venicejeff Cancel reply

Your email address will not be published. Required fields are marked *