77% of websites use JavaScript libraries with at least one vulnerability


77% of websites use JavaScript libraries with at least one vulnerability

Author: Tim Kadlec
compile:Beard big ha

Translated text:http://huziketang.com/blog/posts/detail?postId=58df725ba58c240ae35bb8dc
English connection:77% of sites use at least one vulnerable JavaScript library

Please indicate the source and keep the original link and author information

A few weeks ago, an article said that 37% of websites used JavaScript libraries with at least one vulnerability. When we writeThis reportAs mentioned, we expect the actual situation to be worse than this.

Actually, it’s much worse.

We ran the test on the top 5000 website on Alexa and found that the number reached a staggering 76.6%, and 76.6% of the websites used a library containing at least one vulnerability. If you’re curious about how we did the experiment, go on.


In order to do this test, we caught the website URL of top 5000 on Alexa. In the process of grasping, it is found that many websites have been inaccessible. The strategy is to continue to grasp down according to the ranking until 5000 URLs are enough.

Each URL usesWebPageTestRun again. Webpagetest loads each page in chrome and executes some JavaScript scripts to determine the JavaScript library it uses.

For example, in order to determine the jQuery version used, the following code will be executed after each page is loaded:

    return jQuery && jQuery.fn && jQuery.fn.jquery

Contains the following libraries to detect whether they exist:

  • jQuery

  • Handlebars

  • Mustache

  • React

  • Angular

  • Ember

  • jQueryUI

  • YI

  • Dojo

And snyk for each detected versionOpen source software vulnerability LibraryCompare to see how many libraries contain known vulnerabilities.

The result is not beautiful

As mentioned above, the security of the JavaScript library is terrible — there is no gorgeous cloak to hide it. Of the 5000 websites, 3831 (76.6%) used JavaScript libraries with at least one vulnerability.

77% of websites use JavaScript libraries with at least one vulnerability

It sounds scary that the proportion is so high, but as mentioned in the original report, the actual situation may be worse. We tested nine JavaScript libraries, and hundreds of JavaScript frameworks and libraries are available. The nine libraries tested are the most popular among them, so there should be no big jump in the proportion number, which may be different from the actual situation.

Again, this is only for the client side to test known third-party JavaScript library vulnerabilities. It does not include the server side and its own JavaScript services. Some new vulnerabilities will be added to our database, and some may not be made public.


JQuery is undoubtedly the most popular one we tested. Its popularity is well documented. 79% of the 5000 URLs tested use jQuery.

Although jQuery is nothing special, it is so popular that it has also become the target of public criticism. Many people study its vulnerabilities (yes)5 known vulnerabilities, which has been fixed in the latest version).

As the results show, even if we only detect jQuery, 75.1% of the websites use the vulnerable version. This largely depends on how many years the jQuery library has been used in the product. Among the products surveyed, 17.4% of jQuery libraries have been used for more than 5 years. This is consistent with the conclusion of our last report: people do not update the library often.

77% of websites use JavaScript libraries with at least one vulnerability

The latest version of jQuery without vulnerabilities is above version 3.0.0. For current jQuery users, version change is not so simple, because upgrading is likely to cause bugs and requires an overall system upgrade. The detected jQuery reached 79% in version 1. X. Although jQuery 3.0.0 has only been released for about a year, only 3.6% of websites use version 3. X, which is really too low.

77% of websites use JavaScript libraries with at least one vulnerability

77% of websites use JavaScript libraries with at least one vulnerability

Next week we will conduct an in-depth analysis of jQuery, because it is so popular and makes it more interesting to study it.

jQuery UI

In terms of popularity, the next one is jQuery UI, accounting for about 19.3% of the tested URLs. Similarly, most jQuery UI users are using the vulnerable version, although it can be upgraded. About 91% of the jQuery UI libraries in the tested websites have at least one vulnerability.

77% of websites use JavaScript libraries with at least one vulnerability

Like jQuery, it is largely because people do not upgrade. 21% of websites have used the same jQuery UI version for more than 5 years.


Handlebar accounted for 3.4% of the tested websites. 68% of them use the vulnerable version of handlebars.

As above, using the new version of the response lag is the culprit of this phenomenon. From the data point of view, the use of the new version of handlebars is still popular. We did not detect the latest version of handlebars 4.0.6, but the previous version 4.0.5, which can account for 26.7% of the total use of handlebars.

77% of websites use JavaScript libraries with at least one vulnerability

However, due to the slow release of its version (sinceOnly two minor versions have been released since November 2015)This has also led to the use of handlebars on these websites. One version has been used for two years. On the whole, handlebars versions over 3 years account for 40%.

React, Mustache, Angular, YUI and Dojo

React (1.7%), Mustache (1.6%), Angular (1.3%), YUI (0.7%) and Dojo (0.2%) 。 In the tested websites, these frameworks are rarely used, so the analysis conclusion of each individual is not reliable. If they are analyzed as a whole, vulnerabilities are also common, and 56.3% of the versions are vulnerable.

Our useful conclusions

There is no denying that the results of the survey are not good. Our original estimate should be optimistic. No one wants to see that 77% of websites are using vulnerable libraries.

It should be noted that no single solution can solve this problem. On the contrary, we need to improve security awareness, use better tools, a set of simple and maintainable JavaScript front-end implementation methods, etc. (the use of front-end package management tools is far from as common as the back-end). And this is just the beginning.

But,As we said earlier, we are still full of confidence. The security problem of third-party JavaScript is a solvable problem, but it takes longer than expected.

Due to the data sensitivity of this report, we are not prepared to disclose the original data (which contains a list of websites and vulnerable websites). But if you are a webmaster, welcomecontact usCheck whether your website is in this report and, if so, in the vulnerable list. If you can use NPM package, you canTest your website with snykIt can also help you find some potential security vulnerabilities.

If this article is helpful to you, please follow my column-Front end big ha, regularly publish high-quality front-end articles.

I’m writing a book recentlyReact.js small book, children’s shoes interested in react.js,Welcome advice

Recommended Today

Seven solutions for distributed transactions

1、 What is distributed transaction Distributed transaction means that transaction participants, transaction supporting servers, resource servers and transaction managers are located on different nodes of different distributed systems. A large operation is completed by more than n small operations. These small operations are distributed on different services. For these operations, either all of them are […]