1.3.4 Ensure 'Control use of JavaScript JIT' is set to 'Enabled: Do not allow any site to run JavaScript JIT'

Information

This policy setting specifies whether Microsoft Edge will run the v8 JavaScript engine with JIT (Just In Time) compiler. JIT is a complex pipeline of processes used to optimize JavaScript code for performance.

Note: This policy can be overridden for specific URL patterns using the JavaScriptJitAllowedForSites (Allow JavaScript to use JIT on these sites) and JavaScriptJitBlockedForSites (Block JavaScript from using JIT on these sites) policies.

The recommended state for this setting is: Enabled: Do not allow any site to run JavaScript JIT.

Rationale:

Microsoft's research has revealed that attackers usually target the JavaScript engine called 'Just-In-Time (JIT) compilation' to hack web browsers. Disabling the JavaScript just-in-time (JIT) compiler prevents attackers from hacking into systems that Microsoft Edge uses.

Impact:

Disabling the JavaScript JIT will mean that Microsoft Edge may render web content more slowly, and may also disable parts of JavaScript including WebAssembly. Users may experience slower rendering of web content.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Do not allow any site to run JavaScript JIT:

Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Content Settings\Control use of JavaScript JIT

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSEdge.admx/adml that can be downloaded from: Download Microsoft Edge for Business - Microsoft.

Default Value:

Enabled.

See Also

https://workbench.cisecurity.org/benchmarks/11865

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|7.2

Plugin: Windows

Control ID: fe612834c1a822c4e4bcaa5bcf42f998a6e081cae351b6f5cb1e0f7d10b68e6a