Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web (1811.00918v2)

Abstract: Web developers routinely rely on third-party Java-Script libraries such as jQuery to enhance the functionality of their sites. However, if not properly maintained, such dependencies can create attack vectors allowing a site to be compromised. In this paper, we conduct the first comprehensive study of client-side JavaScript library usage and the resulting security implications across the Web. Using data from over 133 k websites, we show that 37% of them include at least one library with a known vulnerability; the time lag behind the newest release of a library is measured in the order of years. In order to better understand why websites use so many vulnerable or outdated libraries, we track causal inclusion relationships and quantify different scenarios. We observe sites including libraries in ad hoc and often transitive ways, which can lead to different versions of the same library being loaded into the same document at the same time. Furthermore, we find that libraries included transitively, or via ad and tracking code, are more likely to be vulnerable. This demonstrates that not only website administrators, but also the dynamic architecture and developers of third-party services are to blame for the Web's poor state of library management. The results of our work underline the need for more thorough approaches to dependency management, code maintenance and third-party code inclusion on the Web.

• The paper presents an empirical study revealing that over 37% of 133,000 websites use outdated JavaScript libraries, exposing significant security vulnerabilities.
• It employs robust methodologies including static and dynamic analysis with causality trees to trace library inclusion and measure update lag.
• The study calls for proactive dependency management and regular security audits to mitigate the risks posed by legacy library usage.

Analysis of Outdated JavaScript Libraries on the Web

The paper, "Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web," presents an extensive empirical paper on the prevalence and implications of using outdated JavaScript libraries across a substantial portion of the web. This work reveals the widespread use of these libraries and highlights potential security vulnerabilities that arise from their outdated status.

Contemporary web development often involves integrating third-party JavaScript libraries to enhance site functionality and maintain cross-browser compatibility. These libraries, while facilitating development, also introduce the risk of inherited vulnerabilities if not adequately maintained. The researchers conducted a comprehensive investigation involving over 133,000 websites and found that a significant 37% of these sites included at least one library with known vulnerabilities. The lag from the newest library release averaged startlingly over many years for the examined sites, indicating persistent reliance on outdated versions.

A key aspect of the paper is its exploration of causal inclusion relationships within websites to understand why numerous sites use vulnerable libraries. It observes that libraries are frequently included in ad hoc and transitive ways, often resulting in multiple versions of the same library being loaded simultaneously. Alarmingly, libraries included via ad and tracking code exhibited a higher probability of being vulnerable, emphasizing shared responsibility among website administrators, third-party service developers, and the complex architecture of web services.

The empirical methods utilized are robust and innovative. The researchers constructed a detailed catalogue of JavaScript libraries, gathering metadata from various sources including GitHub and public CDNs. Their approach to library detection combined static and dynamic methodologies. Moreover, the use of causality trees within the Chrome Debugging Protocol enabled comprehensive tracking of script inclusions, illuminating dynamic element creation relationships.

The paper's results highlight several concerning realities: a large number of websites continue to use versions released several years ago, indicating a neglect of timely updates. Libraries like YUI, which ceased maintenance, continue to appear on websites. The team's analysis not only provides quantitative data but uncovers qualitative insights into the unexpected ways libraries are incorporated into sites.

From a remediation perspective, the paper underscores the insufficiency of version aliasing practices on JavaScript CDNs and shows that only a minuscule fraction of sites could remediate vulnerabilities through patch-level updates. The cessation of support for version aliasing by Google's CDN further complicates efforts to keep libraries updated automatically.

The implications of this paper are substantial both in practical and theoretical domains. Practically, it suggests that web developers should adopt more systematic dependency management practices and integrate regular security audits. Theoretically, it draws attention to the need for improved library version tracking and dissemination mechanisms within the JavaScript ecosystem to better support developers.

The paper concludes by advocating for enhanced documentation and communication about library security issues, proposing stronger frameworks for code maintenance and dependency management. It calls on both libraries’ maintainers and web developers to engage in more proactive security practices to mitigate the vulnerabilities uncovered by outdated dependencies.

Future developments in AI could potentially support automated tools for real-time security evaluation and updates for web libraries, facilitating more secure web environments. Nonetheless, the human element — awareness, responsibility, and proactive engagement — remains crucial in the endeavor to protect websites from security vulnerabilities inherent in outdated code.