BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Study Shows the Web is Crowded with Outdated, Vulnerable JavaScript Libraries

| by Sergio De Simone Follow 5 Followers on Mar 13, 2017. Estimated reading time: 2 minutes |

As it should be well understood, while using a third-party library usually reduces development time, it may also increase the attack surface exposed by a website. Hence, the importance of keeping your dependencies up-to-date to benefit from security fixes. Yet, a recent study has found that 37% of Alexa top 75K websites has at least one vulnerability and almost 10% has at least two. Those included, for example, 36.7% of jQuery imported libraries, 40.1% of Angular, and more than 85% imports of both Handlebars and YUI 3. Maybe even more shockingly, 26% of Alexa top 500 websites use vulnerable libraries.

The Northeastern University research group led by Tobias Lauinger, Abdelberi Chaabane, and others, built a catalogue of all versions of 72 popular open source libraries, based on statistics from Bower and Wappalyzer, and set off to identify what libraries were used by the analyzed websites. Additionally, the researchers created a Chrome extension to build the causality tree of a website, useful to show why a given library was imported, e.g, due to direct inclusion, or transitively by advertising, tracking or social media code. The study analyzed more than 133K websites, including Alexa top 75K websites and another 75K randomly chosen from the .com domain. That selection helped comparing high-traffic websites to others less popular, with substantially similar results.

Besides the already mentioned finding of a 37% of vulnerable websites, other notable results of the research are the following:

  • Websites tend to use staggeringly outdated versions of third-party libraries, with the median lag between the used version of a library and the most recent one being 1,177 days (more than three years) in Alexa.
  • Often, the inclusion of vulnerable libraries is due to external components such as advertising, tracking or social media widgets.
  • An additional risk factor comes from duplicate inclusions of a library, which can give place to nondeterministic behaviour with respect to vulnerability.

This state of things is not easy to remedy, concludes the research, due to the lack of backward-compatible security fixes for popular libraries and to the way the JavaScript ecosystem is organized, with:

...no reliable vulnerability databases, no security mailing lists maintained by library vendors, few or no details on security issues in release notes, and often, it is difficult to determine which versions of a library are affected by a specific reported vulnerability.

Still, this study appears to be the first step in the right direction and it is surely worth a read for all developers interested in JavaScript development.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT