With several web applications emerging that are essentially front-ends to dapps, there are RPC calls being made to localhost port 8545 (ostensibly by web3.js running in the web client). These local calls are even being made by web sites hosted on public urls, something that does not occur in the vast majority of secure web apps.
While users know that they "must be running geth on my computer", they may not fully understand that this is happening or the security implications. If "something" other than geth or another valid ethereum node is listening on port 8545, and implements the JSON RPC API, the user may be interacting with the ethereum network through that untrusted node.
How does web3.js know that the locally hosted RPC API is a valid node?
Best Answer
So to answer the question, web3 doesn't know. If the port hosts a service that present a matching interface, web3 will use it, wether it's the official Geth or not.