Communications of the ACM

MANY WEBSITES USE third-party components such as JavaScript libraries, which bundle useful functionality so that developers can avoid reinventing the wheel. jQuery ( https://jquery.com/) is arguably the most popular open source JavaScript library at the moment; it is found on

84% of the most popular websites as determined by

Amazon’s Alexa ( https://www.alexa. com/topsites). But what happens when libraries have security issues? Chances are that websites using such libraries inherit these issues and become vulnerable to attacks.

Given the risk of using a library with known vulnerabilities, it is important to know how often this happens in practice and, more importantly, who is to blame for the inclusion of vulnerable libraries—the developer of the website, or maybe a third-party advertisement, or tracker code loaded on the website?

We set out to answer these ques-
tions and found that with 37% of web-
sites using at least one known vulner-
able library, and libraries often being
included in quite unexpected ways,
there clearly is room for improvement
in library handling on the Web. To that
end, this article makes a few recom-
mendations about what can be done to
improve the situation.

JavaScript Vulnerabilities

Before delving into how to detect the use of vulnerable libraries on the Web, we need to agree on what constitutes a vulnerability. First, we are interested only in code that will run on the client side—that is, in a Web browser. JavaScript is the de facto standard language for that purpose, and it has become notorious for security vulnerabilities such

Thou Shalt
Not Depend
on Me
DOI: 10.1145/3190562

Article development led by queue.acm.org

A look at JavaScript libraries in the wild.

BY TOBIAS LAUINGER, ABDELBERI CHAABANE,
AND CHRISTO B. WILSON

This article is based on original research by T. Lauinger, A. Chaabane, S. Arshad, W. Robertson, C. Wilson, and E. Kirda.

It was first published as “Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web” in Proceedings of the 2017 Network and Distributed System Security Symposium; https://seclab.ccs.neu.edu/ static/publications/ndss2017jslibver.pdf).