These days it is almost impossible to develop in JavaScript without utilizing one of the thousands of open-source JavaScript libraries available. Libraries make coding in JavaScript simpler and more efficient by taking processes that would ordinarily require several lines of code to achieve and simplifying them, usually by creating a single function that can be called.
These benefits do not come without risks, however. JavaScript libraries can have security flaws that can make a website using them vulnerable. According to a study conducted by Northeastern University, “more than 37% of websites use at least one library version with a known vulnerability.”
Common security vulnerabilities within JavaScript include cross-site scripting, cross-site request forgery, and buffer overflows. Cross-site scripting allows attackers to inject malicious code into trusted web pages, which then serve that malicious code to users that view the site. Cross-site request forgery allows attackers to utilize a user’s browser to take actions on other sites. Buffer overflows occur when attackers send data that is too large for the buffer to hold, resulting in data being written outside of the buffer and allowing attackers to insert malicious code, corrupt data, or crash an application.
“The JavaScript ecosystem does not have a robust framework for documenting vulnerabilities within libraries and documenting their effect,” Arnal Dayaratna, research director at IDC, told SD Times. There is no cohesive list of known vulnerabilities that is available for developers to access. JQuery vulnerabilities show up on the CVE website, which is a directory of common security vulnerabilities. However, Angular does not show up on the CVE; it instead uses GitHub CHANGELOG to report security vulnerabilities. Every library handles security information differently, therefore developers cannot rely on a single location to get updated.
According to an npm blog post, “It’s common for a modern JavaScript project to depend on 700–1200 packages.” Therefore, it is not practical for developers of these larger-scale projects to be looking online for announcements of vulnerabilities. This is where software composition analysis tools become necessary and extremely helpful.
Software composition analysis tools analyze your code and are able to pick out components that are vulnerable. This speeds up the process of detecting vulnerabilities from your site as well as reducing the risk of human error. “Most of the companies that offer software composition analysis tools offer proactive alerting so you don’t even have to be watching it,” says Amy DeMartine, an analyst at Forrester. “They’ll tell you when a new vulnerability gets announced for a version of a component you’re using.”
The Northeastern University study found that the median website in its dataset used a library version that was “1,177 days older than the newest release.” Switching to a newer version takes time because testing needs to be done to ensure the newest version is compatible with the existing application or site.
Constantly updating to newer versions of libraries could prevent developers from putting their time into new projects, but not keeping current sites free from vulnerabilities is also problematic.
If you have a vulnerable site, people are going to stop visiting it, Dayaratna claims. This will cancel out any cost-savings you gained from not updating your site properly.