The JIT compiler requires violating the standard w^x policy. Therefore, memory can be both writable and executable at the same time. This a very security concern because an attacker could inject and execute their own malicious code from the JIT region during exploitation of a vulnerability. Disabling this results in enormous attack surface reduction and will kill off a huge amount of browser exploits.
Looking at CVE (Common Vulnerabilities and Exposures) data after 2019 shows that roughly 45% of CVEs issued for V8 were related to the JIT engine.
Moreover, we know that attackers weaponize and abuse these bugs as well; an analysis from Mozilla shows that over half of the “in the wild” Chrome exploits abused a JIT bug.
Disabling JIT is quite simple.
Firefox
On Firefox you can go in the about:config page and change those settings:
javascript.options.ion
to false
javascript.options.baselinejit
to false
This approach works both on desktop and mobile. (Although, the stable version of Firefox on android doesn’t allow about:config page)
Chromium
On chromium based browsers you have to add this command line.
--js-flags="--jitless"
This approach works only on desktop browsers.
On android, the only browsers who enabled this feature are bromite and Vanadium.
Interesting, seems as if there’s mostly no difference, thanks for sharing!