Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web

  • Tobias Lauinger, Abdelberi Chaabane, William Robertson, Christo Wilson, Engin Kirda
  • Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS)
  • PDF
Abstract.

Web developers routinely rely on third-party JavaScript libraries to enhance the functionality of their websites. However, if not properly maintained, such library dependencies can create attack vectors that may lead to the compromise of a site.

In this paper, we conduct the first comprehensive study on the security implications of JavaScript library usage across the Web. Using data crawled from over 133K websites, we present empirical evidence showing that 37.8% of websites include at least one outdated JavaScript library with a known vulnerability. Unexpectedly, we also observe sites including external JavaScript libraries in ad-hoc ways that lead to different versions of the same library being loaded into the same document at the same time. Furthermore, we find that libraries that are included indirectly (i.e., not by the root document of a site) and via ad/tracking code are more likely to be vulnerable, demonstrating that website administrators are not entirely to blame for the poor state of library management on the Web.

The results of our work underline the need for more thorough approaches to dependency management and code maintenance on the Web.