<iframe>s with documents loaded
from different origins, it may even be
necessary to include the library multiple times because of the same-origin
policy limiting scripts’ access across origins. Yet, a closer look reveals that 4% of
websites using jQuery in Alexa include
the same version of the library two or
more times in the same document (5%
in .COM), and 11% (6%) include two or
more different versions of jQuery in the
same document. No benefit is derived
by including the library multiple times
in the same document because jQuery
registers itself as a window-global variable. Unless special steps are taken,
only the last loaded and executed instance in each document can be used
by client code; the other instances will
be hidden. Asynchronously included
instances may even create a race condition, making it difficult to predict which
version will prevail in the end.
As an illustration, consider the detail
from the causality tree for mercantil.
com in Figure 3b. The site includes
jQuery four times. All these inclusions
are referenced directly in the main
page’s source code, some of them directly adjacent to each other. On other
sites, duplicate inclusions were caused
by multiple scripts transitively including their own copies of jQuery. While
we can only speculate on why these
cases occur, at least some of them may
be related to server-side templating, or
the combination of independently developed components into a single document. Indeed, we have observed cases
where a Web application (for example, a
WordPress plug-in) that bundled its own
version of a library was integrated into a
page that already contained a separate
copy of the same library. Since duplicate inclusions of a library do not necessarily break any functionality, many
Web developers may not be aware that
they are including a library multiple
times, and even fewer may be aware
that the duplicate inclusion may be
potentially vulnerable.
What Can, and Should, Be Done?
Our research has shown that vulnerable
libraries are widely used on the Web. A
number of factors are at play, and no
single actor can be made responsible
for the situation. Instead, let’s look at
it from three different angles.
Dependency management. Website
used on a specific website. If Web de-
velopers can ensure a library vulnera-
bility cannot be exploited on their site,
they do not need to update to a newer
version. Yet, as we will discuss, the re-
lease notes of libraries rarely contain
enough information to allow a non-
expert to decide whether continuing
to use a vulnerable library on a specific
site is safe or not. Therefore, in prac-
tice, the safe course of action would be
always to update when a vulnerability
in a library is discovered.
Unfortunately, because of the release cycles and patching behavior of
library maintainers, updating a library
dependency is easier said than done.
Only a very small fraction of sites using
vulnerable libraries (less than 3% in
Alexa, and 2% in .COM) could become
free of vulnerabilities by applying only
patch-level updates. Updates of the
least significant version component,
such as from 1. 2. 3 to 1. 2. 4, would
generally be expected to be backward
compatible. In most cases, however,
patch updates are not available. The
vast majority of sites would need to install at least one library with a more recent major or minor version to remove
all vulnerabilities. Migrating to these
newer versions might necessitate additional code changes and site testing because of incompatibilities in the API.
Beyond vulnerabilities and considering all 72 supported libraries, 61% of
Alexa sites and 46% of .COM sites are
at least one patch version behind on
one of their included libraries. Even
though such updates should be “
painless,” they are often neglected. Similarly, the median Alexa site uses a version released 1,177 days ( 1,476 days
for .COM) before the newest available
release of the library. These results
demonstrate that the majority of Web
developers are working with library
versions released a long time ago.
Time differences measured in years
suggest that Web developers rarely
update their library dependencies
once they have deployed a site.
Analyzing the use of JavaScript libraries on websites reveals that libraries are often used in unexpected ways.
For example, about 21% of the websites
including jQuery in Alexa, and 17%
in .COM, do so two or more times in a
single Web page. That alone is no cause
for concern; when a website contains
The development
practices
adopted by
library maintainers
have a big influence
on how difficult
it will be for library
users to keep
their dependencies
up to date.
