You’re going to miss me when I’m gone

Bad maintenance means your favorite JavaScript libraries might be vulnerable

Jane Elizabeth

Books in the Ricoleta Library image via Shutterstock

Maintenance is a thankless task, but it’s necessary to keep the internet running. Researchers from Northeastern have discovered shocking vulnerabilities in JavaScript libraries, leaving your code open to malware.

Upkeep is not sexy. It’s always cooler to be making something new than maintaining legacy code. But it’s a thankless and necessary task. A recent paper from Northeastern suggests that a lack of maintenance might be more of a security flaw than you’d think.

Everyone has had that one unforgivable system crash. The one that absolutely destroys everything so completely, like your work had never existed at all. It’s such a universal experience it’s practically a cliché. As much as we’re aware of our own vulnerabilities, there’s still this idea that the internet itself will always be there. (Recent outages might be putting that idea to rest, though.)

The web is unthinkable in its complexity, but it’s a heck of a lot less stable than we like to admit. It’s a constant wash of novelty and it’s all built on sand. The internet is not a library. The internet is not a repository. And to quote Jason Scott, an archivist and historian for the Internet Archive, “when it goes, it really goes.”

The Great Library of Alexandra was a marvel of the ancient world and a center for philosophers and ancient scientists to share information and research. Galen wrote that all ships docking at the port were obliged to hand over their books to the scribes for copying; the originals scrolls stayed in the library and the copies were given out to the original owners. It housed the world’s largest collection of scrolls on philosophy, literature, technology, math, and medicine. And when it burned, it was gone. Scraps remain today, in fragmented manuscripts here and there.

If the internet goes, we won’t even have fragments to contend with.

JavaScript libraries built on sand

Websites are like Frankenstein’s monster, built from composite parts such as database backends, content generation engines, multiple scripting languages and client-side code. They’re a nightmare to secure and maintain, if only because there’s so much space to cover.

One specific vulnerability lies in client-side JavaScript. Researchers from Northwestern University found that more than a third of websites use at least on JavaScript library version with a known vulnerability. Almost 10% use two or more vulnerable libraries.

“Modern websites often include popular third-party JavaScript libraries, and thus are at risk of inheriting vulnerabilities contained in these libraries,” writes Tobias Lauinger. By vulnerable, they mean Cross-Site Scripting (XSS), which allows someone to insert malicious code into a website. “If a JavaScript library accepts input from the user and does not validate it, an XSS vulnerability might creep in, and all websites using this library could become vulnerable.”

SEE ALSO: JavaScript, Scaling and Microservices – a team that can’t be beaten

Based on an Alexa Top 75k crawl in May 2016, Lauinger et al. found some alarming facts. The vast majority of Alexa sites use at least one well-known JavaScript library, with jQuery being the most popular.

Their research found that on “a per-library perspective, at least 36.7 % of jQuery, 40.1 % of Angular, 86.6 % of Handlebars, and 87.3 % of YUI inclusions use a vulnerable version.” Even more alarming was the fact that many sites still rely on JavaScript libraries that are no longer maintained, like YUI and SWFObject.

Old libraries, old code

Even more alarming is the reliance on archaic JavaScript library versions, as many servers may lack reliable updates. The median lag between the oldest library version used on each website and the newest available version of that library is 1,177 days in ALEXA and 1,476 days in COM. Development of some libraries still in active use ceased years ago. I’m not suggesting that old versions are bad, but boy, should you really rely on library dependencies that are at least 3 or 4 years old?

There is some good news; popular websites have the least amount of vulnerabilities. But one out of five are still vulnerable, suggesting that this problem is widespread.

According to the researchers, the most sobering finding is the “practical evidence that the JavaScript library ecosystem is complex, unorganised, and quite “ad hoc” with respect to security.” The lack of reliable vulnerability databases, security mailing lists, updates on security issues in release notes means that it is “difficult to determine which versions of a library are affected by a specific, reported vulnerability”.

The full paper, Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the W is available here.

So, have you updated your JavaScript libraries recently? I’d double check if I were you.

Jane Elizabeth
Jane Elizabeth is an assistant editor for

Inline Feedbacks
View all comments