The first web browser, WorldWideWeb, created in 1990 by Sir Tim Berners-Lee, was rudimentary, using the HTTP protocol to navigate between documents.
[1][2] Features were added to HTML to support interoperability with proprietary systems like VBScript and Java applets, and vendors aimed to ensure their browsers could handle websites optimized for competitor.
This led to increasingly convoluted set of undocumented hacks and fault tolerant architectures that were often hard to standardize due to competing interests.
[8] Once an attacker is able to run processes on the visitor's machine, then exploiting known security vulnerabilities can allow the attacker to gain privileged access (if the browser isn't already running with privileged access) to the "infected" system in order to perform an even greater variety of malicious processes and activities on the machine or even the victim's whole network.
[9] Breaches of web browser security are usually for the purpose of bypassing protections to display pop-up advertising[10] collecting personally identifiable information (PII) for either Internet marketing or identity theft, website tracking or web analytics about a user against their will using tools such as web bugs, Clickjacking, Likejacking (where Facebook's like button is targeted),[11][12][13][14] HTTP cookies, zombie cookies or Flash cookies (Local Shared Objects or LSOs);[15] installing adware, viruses, spyware such as Trojan horses (to gain access to users' personal computers via cracking) or other malware including online banking theft using man-in-the-browser attacks.
Following the principle of defence in depth, a fully patched and correctly configured browser may not be sufficient to ensure that browser-related security issues cannot occur.
For example, a rootkit can capture keystrokes while someone logs into a banking website, or carry out a man-in-the-middle attack by modifying network traffic to and from a web browser.
Browsers can use more secure methods of network communication to help prevent some of these attacks: Perimeter defenses, typically through firewalls and the use of filtering proxy servers that block malicious websites and perform antivirus scans of any file downloads, are commonly implemented as a best practice in large organizations to block malicious network traffic before it reaches a browser.
[30] The contents of a web page are arbitrary and controlled by the entity owning the domain named displayed in the address bar.
[32] Browsing the Internet as a least-privilege user account (i.e. without administrator privileges) limits the ability of a security exploit in a web browser from compromising the whole operating system.
Internet Explorer 7 added "protected mode", a technology that hardens the browser through the application of a security sandboxing feature of Windows Vista called Mandatory Integrity Control.