its possible that there are bugs in the javascript engine of a browser which allow for shellcode to be executed. but a virus in javascript is not possible, since viruses rely on infecting other programs and this is very difficult if not impossible in javascript and therefore nobody would write a virus in js this video might be interesting to you: https://m.youtube.com/watch?v=xkdPjbaLngE its a walkthrough for a typical javascript engine exploit activex is an old mircrosoft technology thats no longer supported and i don‘t think it works out of the box in modern browsers