This rule is deprecated; use {rule:javascript:S4507} instead.

Why is this an issue?

alert(...) as well as confirm(...) and prompt(...) can be useful for debugging during development, but in production mode this kind of pop-up could expose sensitive information to attackers, and should never be displayed.

Noncompliant code example

if(unexpectedCondition) {
  alert("Unexpected Condition");
}

Resources

• OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
• CWE - CWE-489 - Active Debug Code