What Percentage Of Websites Use Vulnerable Javascript Libraries?

What Percentage Of Websites Use Vulnerable Javascript Libraries?

Photo by Artem Sapegin on Unsplash

GitHub recently introduced a useful new feature that displays a dependency graph of software projects. One of the most impressive aspects of this feature is its ability to flag dependencies with known vulnerabilities and notify the project administrator.

The dependency graphs only work for a few languages at the moment, but Javascript is on the list. A typical Javascript project has dozens or hundreds of dependencies, and there is no easy way for a developer to find out if a vulnerability has been discovered in a project’s direct dependencies or in dependencies further down the hierarchy. Javascript projects can have deep dependency hierarchies.

Security alerts are great for the developers of open source projects hosted on GitHub, but not especially useful for developers who might integrate vulnerable projects into their work, or for end-users whose eCommerce stores and websites depend on vulnerable software.

In November, Snyk, which provides a vulnerability scanning service, released the results of a survey that analyzed 433,000 sites. In a finding that should worry anyone that depends on the security of the web, 77% of those sites were found to include at least one front-end Javascript library with a known security vulnerability.

That’s not a comforting statistic. A significant percentage of the websites you and I visit every day rely on Javascript libraries with known vulnerabilities. The fact that a site has a vulnerability doesn’t necessarily mean that users of that site or the site itself are at risk. But it’s in the interest of web users for site owners to reduce the number of potential security issues they expose us to.

Once a library is included in a project, there can be a resistance to updating it, especially when the update might break existing functionality. Vulnerabilities remain because developers prioritize stability over security, or simply don’t think about it at all. Then there is the problem of site and app users who neglect to update even when developers have patched their software.

The GitHub Vulnerability Notifications are a helpful step in that direction, and so is a recent addition to Google’s Chrome Developer Tools. The Dev Tools include an audit tab that leverages a Google-built automated auditing tool called Lighthouse. It’s used to scan sites for performance problems, accessibility issues, and so on.

Google has added a vulnerability scanner to the most recent version of Lighthouse that is capable of spotting vulnerabilities in the Javascript libraries used by a site. In fact, the vulnerability scanner uses Snyk, the same tool that was used to create the survey I mentioned above.

Lighthouse is also available as a command line tool and a Node module. At the time of writing, the vulnerability scanner is only available in the development version of Chrome, but it will be more widely available soon.

Matthew Davis is a technical writer and Linux geek for Future Hosting.

Dedicated Server Special

Take advantage of our Double RAM offer on the E3-1230v2 4 x 3.30GHz+HT server! Only $134.95 per month. Managed and Unmanaged options available at checkout.