Obsolete libraries and a disorganized ecosystem: The serious JavaScript problems

Whenever we talk about security on the Internet we remember Flash Player, and how its multiple vulnerabilities have reduced it to “only” 10% of the main websites. However, there is another actor who also often raises many criticisms such as JavaScript, which Google has declared war and will block it in Gmail.

Right now, the JavaScript problem seems to be getting worse. According to it has been published in ZDNet, of 133,000 scanned webs at least 37% of them have a JavaScript library with a known vulnerability. Northwestern University already warned about the problem of loading old versions of JavaScript libraries on the webs in a study, but it seems that nobody paid much attention to them.

The fact is that the Northwestern researchers have returned to the burden by publishing another study, in which they point out that vulnerable bookstores can be “very dangerous” under the right conditions. The study points to an old JQuery bug that could be exploited using a sequence attack of comets between pages or XSS.

So the study was done

To prepare the study, they looked at the first 75,000 Alexa websites , and then randomly selected 75,000 .com domains , assigning 72 different libraries and their respective versions. In general, 87% of the websites of Alexa, and 46.5% of the “dot com” used at least one of the 72 libraries.

Among the study findings, 36.7% of JQuery, 40.1% of Angular, 86.6% of Handlebars and 87.3% of YUI use some vulnerable version . In addition, the researchers found that 9.7% of the websites included in the study use two or more vulnerable versions of one of the libraries.

However, it is less likely that the most popular websites use any of these obsolete libraries. The Northeastern researchers saw that only 21% of the top 100 had this problem. That does not mean that, in the words of the researchers, the JavaScritp ecosystem is a complete disaster:

Our most serious finding has been to find evidence that the JavaScript library ecosystem is complex, disorganized and quite “ad hoc” in terms of security. There are no reliable vulnerability databases, no security mailing lists maintained by those who sell them and, on occasion, it is difficult to determine which versions of a library are affected by an already reported failure.

To remedy this situation will take a long time and it will be a very difficult task, since most websites use very obsolete libraries, according to the study.