[Alupis]

No, Javascript by design can't do certain things, such as write directly to your disk, read arbitrary data from the disk, control threading at the cpu level, etc.

This was part of the design process in order to make Javascript a "web browser safe" language. Other languages have been modified and browser support "bolted on" after the fact, which leads to the sandboxing, which means if one can escape the sandbox, they have a full language and all of it's features at their disposal. This is dangerous, and can lead, and has led to severe security issues.

Applets are very actively maintained by the OpenJDK and Oracle projects. They are used still today for a lot of things, especially in the banking sector.

[andreasvc]

The number of sites that use Javascript is many orders of magnitude greater than those that use Java applets. This means that much more attention is going to keeping the Javascript runtime safe. If the same attention would go into making, say, a Python runtime for browsers, it would be just as safe (and removing the file writing and system call abilities would be the trivial part). Note that in HTML5, Javascript can read files (see e.g. http://www.html5rocks.com/en/tutorials/file/dndfiles/ ), so the point is not to exclude such functions from the language, but to adequately control when they can be used.

Critical security flaws can come from any C code, be it a Javascript runtime, a PNG library or a PDF viewer. There is nothing inherent in those things to make them unsafe (as opposed to say, running arbitrary executables), except maybe that they are written in C.