Google announced this news on Jan. 25 through its G Suit Updates blog.
"Gmail currently restricts certain file attachments (e.g. .exe, .msc, and .bat) for security reasons, and starting on February 13, 2017, we will not allow .js file attachments as well." stated the blog.
For the uninitiated, Gmail already blocks standard windows executable files (.exe), batch files (.bat), and Microsoft Management Console file (.msc).
To maintain security of its services, it seems Google will now block .js file attachments, as malicious emails often attach various rigged file attachments in these formats to trick users into giving up their credentials.
Opening an unknown .js file starts the Windows Script Host, which runs inside the file. Running the Windows Script Host can prove to be very dangerous for the user as it can easily run Windows executables.
Google said that an "in-product" warning will appear if someone tries to attach a .js file attachment in the mail after Feb. 13.
Gmail Phishing Scam
For the unfamiliar, Gmail users fell victim to a widespread phishing scam last week, which fooled them to give their Google credentials.
The hackers used the compromised mail accounts to go through the sent folder and pass the malware to other unsuspecting Gmail users. The best part about the trick is that the malicious mail came from the account of a known person, whose account had already been hacked.
Malware was disguised as image attachments in the form of a PDF. On clicking for a preview, a new tab would open up for the user, asking him or her to log into their Gmail accounts again. The location bar would display the address as "accounts.google.com," which most users know they have arrived at the authentic Gmail login page. What they missed was the small bug hidden in the form of a data file "data:text/html" which is attached infront of the host name.
The hackers behind this scam were able to block the user from using any other services linked to Google accounts.
Reason Behind The Security Measure
Google has not provided the public with a detailed explanation other than saying that this step was taken for "security reasons."
Whether this step was taken as a security measure because of the recent phishing scam is not clear and is merely an assumption.