[brandonwamboldt]

Flash is a closed source binary plugin with a long history of security vulnerabilities that Adobe was slow to patch. For the most part, JavaScript engines are open source, don't have a history of security vulnerabilities (to the same severity), and are typically patched quickly.

[x0x0]

(linking to myself) https://news.ycombinator.com/item?id=9875333

It's been more than a year since there's been a month without multiple CVE severity 10 bugs.

[koonsolo]

Here is a 2014 vulnerability report of Secunia: https://secunia.com/resources/vulnerability-review/update-al...

Google Chrome is at the top with most vulnerabilities, IE a bit below it, Avant browser, Firefox. Same with the 2015 edition.

Flash didn't even make it in the top 20. And yes, they also evaluated it.

[dveditz_]

You can't compare counts of published vulnerabilities when organizations have vastly different standards of publication. Open source projects (e.g. Firefox, chromium) publish everything, even internally found flaws. Closed-source projects tend to publish only those reported by external reporters, not ones they found internally. At least one hopes they are also fixing lots of internal bugs! They might not be, in which case a low vulnerability count could actually mean they've got lots of unfixed vulnerabilities.

What about attacks found in the wild? Flash takes the cake there, although that may in part mean its ubiquity makes it a useful target.

In any case you can't use Flash to browse the web. You are already taking on the risk of whatever vulnerabilities lurk in your chosen browser; using Flash is adding vulnerability risk on top.