By Tim Kadlec
Translation: the original huziketang.com/blog/posts/… 77% of Sites Use at least one vulnerable JavaScript Library
Please indicate the source, keep the original link and author information
A few weeks ago there was an article about 37% of websites using JavaScript libraries that contain at least one vulnerability. When we wrote this report, it said that we expected it to be worse than that.
In fact, it’s much worse.
We ran tests on the top 5000 sites on Alexa and found a staggering 76.6 percent, with 76.6 percent using libraries that contain at least one vulnerability. If you’re curious about how we did the experiment, read on.
test
To do this, we grabbed the urls of the top 5000 websites on Alexa. During the process of capturing, we found that many websites were no longer accessible, and the strategy was to continue to capture according to the ranking until 5000 urls were reached.
Each URL is run with WebPageTest. WebPageTest loads each page in Chrome and executes some JavaScript scripts to determine which JavaScript library it uses.
For example, to determine the version of jQuery used, the following code is executed for each page after loading:
return jQuery && jQuery.fn && jQuery.fn.jqueryCopy the codeContains checks for the presence of the following libraries:
- jQuery
- Handlebars
- Mustache
- React
- Angular
- Ember
- jQueryUI
- YI
- Dojo
For each version examined, the Snyk open Source software vulnerability library was compared to see how many libraries contained known vulnerabilities.
The result is not beautiful
As mentioned above, JavaScript library security is terrible — there’s no fancy dress to hide it. Of the 5,000 sites, 3,831 (76.6%) used JavaScript libraries that contained at least one vulnerability.
That may sound scary, but as the original report suggested, the situation could be worse. We tested nine JavaScript libraries, and there are hundreds of JavaScript frameworks and libraries available. The nine libraries tested are some of the most popular, so there shouldn’t be much of a jump in the percentages, perhaps a few points different from the actual situation.
Again, this is only a client-side test for known third-party JavaScript library vulnerabilities. Does not include server-side and self-written JavaScript services. Some new vulnerabilities will be added to our database, some of which may not be public yet.
jQuery
JQuery is far and away the most popular of the urls we tested, and its popularity is well documented, with 79 percent of the 5000 urls tested using jQuery.
Although jQuery is nothing special, its popularity has led to it being the target of a lot of research on bugs (there are five known bugs that have been fixed in the latest version).
As the results show, even though we only tested jQuery, 75.1% of the sites used the buggy version. A lot depends on how old the jQuery library is in your product. 17.4% of the products surveyed are more than 5 years old. This is consistent with the conclusion of our last report: people don’t update libraries very often.
The latest version of jQuery with no bugs found is version 3.0.0 or higher. For current jQuery users, version changes are not that simple, as upgrades are likely to cause bugs and require an overall upgrade of the system. JQuery 1. X is up to 79%. Although jQuery 3.0.0 has only been out for about a year, only 3.6% of websites use version 3.x, which is pretty low.
We’ll take a closer look at jQuery next week, because it’s so popular that it’s fun to study.
jQuery UI
In terms of popularity, jQuery UI is next, accounting for 19.3% of all urls tested. Similarly, most jQuery UI users are using a buggy version, even though it is upgradable. Approximately 91% of the jQuery UI libraries tested had at least one vulnerability.
As with jQuery, in large part because people don’t upgrade, 21% of websites use the same jQuery UI version for more than 5 years.
Handlebars
Handlebar accounted for 3.4% of the sites tested. 68% of them used a buggy version of Handlebars.
As above, reaction delays with new versions are to blame for this phenomenon. In terms of data, the use of the new version of Handlebars is still relatively popular. We did not detect the latest version of Handlebars, but the previous version 4.0.5, which accounts for 26.7% of the total Handlebars usage.
However, it has been very slow to release (only two small versions have been released since November 2015), which has resulted in Handlebars being two years old. Overall, Handlebars versions older than 3 years accounted for 40 percent.
React, Mustache, Angular, YUI and Dojo
React (1.7%), Mustache (1.6%), and presents (1.3%), YUI (0.7%) and the Dojo (0.2%). These frameworks are used sparingly on the sites tested, so the results of their individual analysis are not reliable. Taken as a group, bugs were common, with 56.3 percent of releases having bugs.
Useful conclusions that we have drawn
Admittedly, the results are not good. We should have been optimistic. No one wants to see 77% of websites using buggy libraries.
To be clear, there is no single solution to this problem. Instead, what is needed is a combination of increased security awareness, better tools, and a simple and maintainable JavaScript front-end implementation (front-end package management tools are far less common than back-end ones). And that’s just the beginning.
But, as we said earlier, we remain confident. The security issue of third-party JavaScript is a solvable problem, but it’s just taking longer than expected.
Due to the data sensitivity of this report, we are not prepared to release the raw data (which contains lists of sites and vulnerable sites). But if you’re a site owner, feel free to contact us to see if your site is in this report, and if so, if it’s on the vulnerable list. If you know how to use the NPM package, testing your site with Snyk can also help you find some potential security vulnerabilities.
If this article is helpful to you, please follow my column – The Front End big ha, regularly publish high quality front end articles.
I’m currently working on a little book called React.js.