More like browser makers do. That stuff should not be possible period, yet it is. There was a FF exploit discovered the other day that allowed remote code execution right through the sandbox. What's the point of the sandbox if it does not actually work? Yeah you should keep stuff up to date, but the whole idea of designing stuff securely should be that it works even on old versions. Stuff is never up to date, there's always new exploits. Stuff should be designed from the get go to mitigate any exploit from being able to do damage.Sounds like you have much bigger problems than browser js.