Research: More than a third of websites use vulnerable JavaScript libraries

burning-library

A new paper from Northeastern University researchers has found that more than a third of websites may using at least one JavaScript library with a known security vulnerability.

The research analyzed 133,000 domains based on Amazon.com Inc.’s Alexa Top 75,000 list and randomly selected .com domains by assessing 72 different JavaScript libraries including jQuery, Angular, Handlebars, Bootstrap, Modernizr, Moment, LoDash and others.

After running the complete analysis, the researchers found that 37 percent of all sites tested had at least one JavaScript vulnerability. In addition, 9.7 percent of sites tested were found to have two or more vulnerable library versions.

The good news is that the more popular a site, the less likely it was to have a JavaScript vulnerability, with only 21 percent of the Alexa top 100 sites being exposed.

Suggesting that perhaps a regular update path may be lacking with many servers, the research found that the median site they tested used a library version that is 1,177 days older than the latest release of the library. Supporting that theory, the researchers noted a lack of awareness of security problems in the JavaScript community. They attribute this due to security bugs being hard to find and web developers being trapped into using outdated JavaScript library versions because updates quite often cause problems with sites using older versions.

“Perhaps our most sobering finding is practical evidence that the JavaScript library ecosystem is complex, unorganized, and quite ‘ad hoc’ with respect to security,” the researchers note. “There are no reliable vulnerability databases, no security mailing lists maintained by library vendors, few or no details on security issues in release notes, and often, it is difficult to determine which versions of a library are affected by a specific reported vulnerability.”

The researchers provided a full copy of the research paper, entitled “Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web.”

Photo: LearningLark/Wikimedia Commons