Information
This policy setting controls JScript execution per Security Zone within Internet Explorer and WebBrowser Control (WebOC) for Office applications. JScript is Microsoft's legacy dialect of the ECMAScript standard that is used in Microsoft's Internet Explorer 11 and older.
If Enabled, Office applications will not execute legacy JScript for the Internet or Restricted Sites zones and users aren't notified by the application that legacy JScript execution is restricted. Modern JScript9 will continue to function for all zones.
The recommended state for this setting is: Enabled: Access: 69632 Excel: 69632 OneNote: 69632 Outlook: 69632 PowerPoint: 69632 Project: 69632 Publisher: 69632 Visio: 69632 Word: 69632
Development on the JScript engine ended and the component was deprecated with the release of Internet Explorer 8.0 in 2009, but the engine remained in all Windows OS versions as a legacy component inside IE. Due to this, it has been exploited by a number of bad actors over the years, including nation-states.
The following CVE's are associated with JSCRIPT vulnerabilities: CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674
Solution
To establish the recommended state via configuration profiles, set the following Settings Catalog path to Enabled: 69632 for each application listed.
Administrative Templates\MS Security Guide\Restrict legacy JScript execution for Office
Impact:
It's important to determine whether legacy JScript is being used to provide business-critical functionality before enabling this setting.