Tue. Jul 7th, 2020

The state of JavaScript frameworks security report 2019: at least six in ten websites are impacted by jQuery XSS vulnerabilities

2 min read

Although the JavaScript library jQuery is still being used, it is no longer as popular as it used to be. According to the open-source security platform Snyk, at least six out of ten websites are currently affected by jQuery XSS vulnerabilities, and even jQuery libraries for extending jQuery functionality introduce more security issues.

Snyk released a “The state of JavaScript frameworks security report 2019” report, which focuses on security reviews of two leading JavaScript frameworks (Angular and React), but also investigates security vulnerabilities in three other front-end JavaScript ecosystem projects like Vue.js, Bootstrap, jQuery, etc.

The report shows that in the past 12 months, jQuery has downloaded more than 120 million times, which is equivalent to the number of downloads added by Vue.js (40 million times) and Bootstrap (79 million times). In the report, Vue.js was found to have four vulnerabilities, but it has all been fixed; Bootstrap contains seven cross-site scriptings (XSS) vulnerabilities, three of which were disclosed in 2019, and there is currently no security fix or upgrade path. In jQuery, the six vulnerabilities that have been tracked to date affect all versions, four of which are intermediate-level cross-site scripting vulnerabilities, one is a medium-level Prototype Pollution and the other is a low-level Denial of service vulnerability.

According to W3Techs, websites using jQuery v1.x accounted for 84%, which led to four medium-level XSS vulnerabilities. In the Snyk report, jquery.js is a malicious package that has been downloaded 5,444 times in the past 12 months, and its severity is as high as the malicious versions of the other two open-source community modules (jquery-airload 322 downloads and github- Jquery-widget 232 downloads).

In recent years, some people think that jQuery is no longer popular, and according to reports, it still has high downloads, the reasons may be as follows:

  • Currently, it has a lot of tutorials, existing websites, and software, etc.
  • jQuery related plugins are very rich, and many new js frameworks also support jQuery.
  • A large number of programmers have used jQuery, familiar with its syntax and functions, and will continue to use it later.

Via: i-programmer