kevinhakanson.com

Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web

March 09, 2017 #javascript #security

If you aren’t scared about JavaScript libraries and security, you will be after reading Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web, which is a summary of http://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf.

Some excerpts to get you interested:

In this paper, we conduct the first comprehensive study of client-side JavaScript library usage and the resulting security implications across the Web.

Perhaps our most sobering finding is practical evidence that the JavaScript library ecosystem is complex, unorganised, and quite “ad hoc” with respect to security. There are no reliable vulnerability databases, no security mailing lists maintained by library vendors, few or no details on security issues in release notes, and often, it is difficult to determine which versions of a library are affected by a specific reported vulnerability.

Unfortunately, security does not appear to be a priority in the JavaScript library ecosystem. Popular vulnerability databases contain nearly no entries regarding JavaScript libraries.

The results of this work highlight the need for more thorough and systematic approaches to JavaScript library inclusion and dependency management on the Web.