As it should be well understood, while using a third-party library usually reduces development time, it may also increase the attack surface exposed by a website. Hence, the importance of keeping your dependencies up-to-date to benefit from security fixes. Yet, a recent study has found that 37% of Alexa top 75K websites has at least one vulnerability and almost 10% has at least two. Those included, for example, 36.7% of jQuery imported libraries, 40.1% of Angular, and more than 85% imports of both Handlebars and YUI 3. Maybe even more shockingly, 26% of Alexa top 500 websites use vulnerable libraries.
The Northeastern University research group led by Tobias Lauinger, Abdelberi Chaabane, and others, built a catalogue of all versions of 72 popular open source libraries, based on statistics from Bower and Wappalyzer, and set off to identify what libraries were used by the analyzed websites. Additionally, the researchers created a Chrome extension to build the causality tree of a website, useful to show why a given library was imported, e.g, due to direct inclusion, or transitively by advertising, tracking or social media code. The study analyzed more than 133K websites, including Alexa top 75K websites and another 75K randomly chosen from the .com domain. That selection helped comparing high-traffic websites to others less popular, with substantially similar results.
Besides the already mentioned finding of a 37% of vulnerable websites, other notable results of the research are the following:
- Websites tend to use staggeringly outdated versions of third-party libraries, with the median lag between the used version of a library and the most recent one being 1,177 days (more than three years) in Alexa.
- Often, the inclusion of vulnerable libraries is due to external components such as advertising, tracking or social media widgets.
- An additional risk factor comes from duplicate inclusions of a library, which can give place to nondeterministic behaviour with respect to vulnerability.
This state of things is not easy to remedy, concludes the research, due to the lack of backward-compatible security fixes for popular libraries and to the way the JavaScript ecosystem is organized, with:
...no reliable vulnerability databases, no security mailing lists maintained by library vendors, few or no details on security issues in release notes, and often, it is difficult to determine which versions of a library are affected by a specific reported vulnerability.
Still, this study appears to be the first step in the right direction and it is surely worth a read for all developers interested in JavaScript development.