Author: Tim Kadlec
compile:Beard big ha
Please indicate the source and keep the original link and author information
Actually, it’s much worse.
We ran the test on the top 5000 website on Alexa and found that the number reached a staggering 76.6%, and 76.6% of the websites used a library containing at least one vulnerability. If you’re curious about how we did the experiment, go on.
In order to do this test, we caught the website URL of top 5000 on Alexa. In the process of grasping, it is found that many websites have been inaccessible. The strategy is to continue to grasp down according to the ranking until 5000 URLs are enough.
For example, in order to determine the jQuery version used, the following code will be executed after each page is loaded:
return jQuery && jQuery.fn && jQuery.fn.jquery
Contains the following libraries to detect whether they exist:
And snyk for each detected versionOpen source software vulnerability LibraryCompare to see how many libraries contain known vulnerabilities.
The result is not beautiful
JQuery is undoubtedly the most popular one we tested. Its popularity is well documented. 79% of the 5000 URLs tested use jQuery.
Although jQuery is nothing special, it is so popular that it has also become the target of public criticism. Many people study its vulnerabilities (yes)5 known vulnerabilities, which has been fixed in the latest version).
As the results show, even if we only detect jQuery, 75.1% of the websites use the vulnerable version. This largely depends on how many years the jQuery library has been used in the product. Among the products surveyed, 17.4% of jQuery libraries have been used for more than 5 years. This is consistent with the conclusion of our last report: people do not update the library often.
The latest version of jQuery without vulnerabilities is above version 3.0.0. For current jQuery users, version change is not so simple, because upgrading is likely to cause bugs and requires an overall system upgrade. The detected jQuery reached 79% in version 1. X. Although jQuery 3.0.0 has only been released for about a year, only 3.6% of websites use version 3. X, which is really too low.
Next week we will conduct an in-depth analysis of jQuery, because it is so popular and makes it more interesting to study it.
In terms of popularity, the next one is jQuery UI, accounting for about 19.3% of the tested URLs. Similarly, most jQuery UI users are using the vulnerable version, although it can be upgraded. About 91% of the jQuery UI libraries in the tested websites have at least one vulnerability.
Like jQuery, it is largely because people do not upgrade. 21% of websites have used the same jQuery UI version for more than 5 years.
Handlebar accounted for 3.4% of the tested websites. 68% of them use the vulnerable version of handlebars.
As above, using the new version of the response lag is the culprit of this phenomenon. From the data point of view, the use of the new version of handlebars is still popular. We did not detect the latest version of handlebars 4.0.6, but the previous version 4.0.5, which can account for 26.7% of the total use of handlebars.
However, due to the slow release of its version (sinceOnly two minor versions have been released since November 2015）This has also led to the use of handlebars on these websites. One version has been used for two years. On the whole, handlebars versions over 3 years account for 40%.
React, Mustache, Angular, YUI and Dojo
React (1.7%), Mustache (1.6%), Angular (1.3%), YUI (0.7%) and Dojo (0.2%) 。 In the tested websites, these frameworks are rarely used, so the analysis conclusion of each individual is not reliable. If they are analyzed as a whole, vulnerabilities are also common, and 56.3% of the versions are vulnerable.
Our useful conclusions
There is no denying that the results of the survey are not good. Our original estimate should be optimistic. No one wants to see that 77% of websites are using vulnerable libraries.
Due to the data sensitivity of this report, we are not prepared to disclose the original data (which contains a list of websites and vulnerable websites). But if you are a webmaster, welcomecontact usCheck whether your website is in this report and, if so, in the vulnerable list. If you can use NPM package, you canTest your website with snykIt can also help you find some potential security vulnerabilities.
If this article is helpful to you, please follow my column-Front end big ha, regularly publish high-quality front-end articles.