UPDATED 22:00 EDT / MARCH 12 2017

INFRA

Research: More than a third of websites use vulnerable JavaScript libraries

A new paper from Northeastern University researchers has found that more than a third of websites may using at least one JavaScript library with a known security vulnerability.

The research analyzed 133,000 domains based on Amazon.com Inc.’s Alexa Top 75,000 list and randomly selected .com domains by assessing 72 different JavaScript libraries including jQuery, Angular, Handlebars, Bootstrap, Modernizr, Moment, LoDash and others.

After running the complete analysis, the researchers found that 37 percent of all sites tested had at least one JavaScript vulnerability. In addition, 9.7 percent of sites tested were found to have two or more vulnerable library versions.

The good news is that the more popular a site, the less likely it was to have a JavaScript vulnerability, with only 21 percent of the Alexa top 100 sites being exposed.

Suggesting that perhaps a regular update path may be lacking with many servers, the research found that the median site they tested used a library version that is 1,177 days older than the latest release of the library. Supporting that theory, the researchers noted a lack of awareness of security problems in the JavaScript community. They attribute this due to security bugs being hard to find and web developers being trapped into using outdated JavaScript library versions because updates quite often cause problems with sites using older versions.

“Perhaps our most sobering finding is practical evidence that the JavaScript library ecosystem is complex, unorganized, and quite ‘ad hoc’ with respect to security,” the researchers note. “There are no reliable vulnerability databases, no security mailing lists maintained by library vendors, few or no details on security issues in release notes, and often, it is difficult to determine which versions of a library are affected by a specific reported vulnerability.”

The researchers provided a full copy of the research paper, entitled “Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web.”

Photo: LearningLark/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Cookies

We employ the use of cookies. Find out more.