INFRA
INFRA
INFRA
Research: More than a third of websites use vulnerable JavaScript libraries
A new paper from Northeastern University researchers has found that more than a third of websites may using at least one JavaScript library with a known security vulnerability.
The research analyzed 133,000 domains based on Amazon.com Inc.’s Alexa Top 75,000 list and randomly selected .com domains by assessing 72 different JavaScript libraries including jQuery, Angular, Handlebars, Bootstrap, Modernizr, Moment, LoDash and others.
After running the complete analysis, the researchers found that 37 percent of all sites tested had at least one JavaScript vulnerability. In addition, 9.7 percent of sites tested were found to have two or more vulnerable library versions.
The good news is that the more popular a site, the less likely it was to have a JavaScript vulnerability, with only 21 percent of the Alexa top 100 sites being exposed.
Suggesting that perhaps a regular update path may be lacking with many servers, the research found that the median site they tested used a library version that is 1,177 days older than the latest release of the library. Supporting that theory, the researchers noted a lack of awareness of security problems in the JavaScript community. They attribute this due to security bugs being hard to find and web developers being trapped into using outdated JavaScript library versions because updates quite often cause problems with sites using older versions.
“Perhaps our most sobering finding is practical evidence that the JavaScript library ecosystem is complex, unorganized, and quite ‘ad hoc’ with respect to security,” the researchers note. “There are no reliable vulnerability databases, no security mailing lists maintained by library vendors, few or no details on security issues in release notes, and often, it is difficult to determine which versions of a library are affected by a specific reported vulnerability.”
The researchers provided a full copy of the research paper, entitled “Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web.”
Photo: LearningLark/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
