Oh, it’s not, the difference is that the SVG is an unexpected delivery vector.
The script on a website might change over time, might be blocked by an extension like uBlock origin that prevents sections of web code from loading in the first place. You can block a website’s JS with an extension that specifically does that, like jshelter. A malicious SVG is static, the malicious code is malicious forever and is embedded in the file. A browser extension can’t selectively block pieces of the file from loading.
Script blocking extensions prevent web page code from loading, but they don’t prevent the application from executing JS. If you open an SVG, the file is downloaded locally (it’s not web code) and the JS in the file will execute locally, with the same permissions and file system access as the user opening the file.
Oh, it’s not, the difference is that the SVG is an unexpected delivery vector.
The script on a website might change over time, might be blocked by an extension like uBlock origin that prevents sections of web code from loading in the first place. You can block a website’s JS with an extension that specifically does that, like jshelter. A malicious SVG is static, the malicious code is malicious forever and is embedded in the file. A browser extension can’t selectively block pieces of the file from loading.
Script blocking extensions prevent web page code from loading, but they don’t prevent the application from executing JS. If you open an SVG, the file is downloaded locally (it’s not web code) and the JS in the file will execute locally, with the same permissions and file system access as the user opening the file.