The Perils of jQuery?
Written by Ian Elliot   
Thursday, 07 November 2019

Although the JavaScript library jQuery is no longer as popular as it was, it is still widely used. As a result at least six in ten websites are impacted by jQuery XSS vulnerabilities. Even more security issues are introduced by the jQuery libraries used to extend jQuery's capabilities.

synk

These findings come from open source security platform, Snyk and are included in "The state of JavaScript frameworks security report 2019". While this report is mainly devoted to a security review of the two leading JavaScript frameworks, Angular and React, it takes a "sneak peek" into the security vulnerabilities in three other frontend JavaScript ecosystem projects - Vue.js, Bootstrap and jQuery.

jQuery was downloaded more than 120 million times in the last 12 months, which is equivalent to the number of downloads for Vue.js (40 million) and Bootstrap (79 million) combined.

Snyk reports that four vulnerabilities had been found for Vue.js, all of which have been fixed. Bootstrap contained seven cross-site scripting (XSS) vulnerabilities. Three of these were disclosed in 2019 and there are no security fixes or upgrade paths to avoid them. In the case of jQuery snyk tracked six security vulnerabilities affecting jQuery across all of its releases to date. Four are medium severity Cross-Site Scripting vulnerabilities, one is a medium severity Prototype Pollution vulnerability, and the final one is a low severity Denial of Service vulnerability. 

The report concludes that unless you are using jQuery 3.4.0 and above then you are using vulnerable jQuery versions.

 

snykchart

In fact, according to W3Techs, jQuery v1.x is used in 84% of all websites using jQuery. This exposes them to four medium severity XSS vulnerabilities and the situation is exacerbated by the use of jQuery extension libraries, 13 of which have identified vulnerabilities.

Snyk calls particular attention to jquery.js which is a malicious package and accounted for 5,444 downloads in the past 12 months. it vulnerability severity is rated as high as is that of two other malicious versions of open source community modules which have fewer annual downloads - jquery-airload (322 downloads) and github-jquery-widgets (232 downloads).

It also pointed to three other extension libraries, jquery-mobile, jquery-file-upload and jquery-colorbox, which together account for more than 340,000 downloads in the past 12 months, despite including Arbitrary Code Execution and Cross-Site Scripting security vulnerabilities and not having any upgrade path to remediate them.

 

jquery3

 

More Information

Snyk Javascript Report 2019 (pdf)

Related Articles

jQuery Still Our Favourite Framework

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

 

Banner


Helm 3.0 Released
02/12/2019

Helm 3.0 has been released with Tiller removed and the Helm Go SDK refactored for general use. Helm is a package manager for Kubernetes designed to allow developers and operators to more easily packag [ ... ]



Project Cortex Adds AI To Office 365
11/11/2019

At Ignite 2019, held last week in Orlando, Microsoft announced Project Cortex, a system that uses machine learning to make better use of data held in an organization's Office documents and services.&n [ ... ]


More News

graphics

 



 

Comments




or email your comment to: comments@i-programmer.info

<ASIN:1871962501>

<ASIN:1871962528>

  

Last Updated ( Thursday, 07 November 2019 )