84% of all websites are impacted by jQuery XSS vulnerabilities

Written by:
wordpress-sync/JavaScript-Report-feature-04

October 30, 2019

0 mins read

Welcome to Snyk's State of JavaScript frameworks security report 2019. In this blog post we'll review security vulnerabilities found in other frontend ecosystem projects.

After reviewing Angular and React as major JavaScript frameworks, we’ll take a brief review of selected JavaScript and CSS frameworks: Vue.js, jQuery and Bootstrap.

Download the Report here!

jQuery security

jQuery took web development by storm a decade ago but since then web development have been revolutionized further with single page application technologies such as Angular, and React. That said, according to W3Techs which regularly run surveys and report on web technology usage jQuery is being used within 73% of websites they scanned in August 2019.

A Snyk study from 2017 further amplifies this when it reported that 77% of sites use at least one vulnerable JavaScript libraryand pointed out jQuery was detected in 79% of the top 5,000 URLs from Alexa. If you’re still not convinced, npm’s downloads for the jQuery npm module account to 120,641,977 for the last 12 months alone.

In total, we tracked six security vulnerabilities affecting jQuery across all of its releases to date, four of which are medium severity Cross-Site Scripting vulnerabilities, one is a medium severity Prototype Pollution vulnerability, and lastly, one is a low Denial of Service vulnerability. If you’re not using jQuery 3.4.0 and above which was released only recently, on 10th of Apr, 2019, then you are using vulnerable jQuery versions.

09-jquery-vulnerability-count

Since jQuery is usually found in web applications as a legacy component it is important to also understand its version usage patterns and their state of security.

W3Techs reports that of all websites using jQuery, it’s 1.x release is dominating with 83.4% of share and version 2 and 3 lag far behind with roughly 8% of all jQuery usage. When looking at the known security vulnerabilities and map them out to jQuery versions we found that four medium severity Cross-Site Scripting vulnerabilities are affecting jQuery v1 which is potentially concerning considering the 83.4% market share for anybody not employing software composition analysis to find and fix vulnerabilities in their open source components.

Many websites and web applications will further make use of jQuery libraries to extend the capabilities of jQuery and will turn to community- powered libraries to do so.

We found 13 vulnerable jQuery libraries as provided in the following table and offer the following observations:

  • Three jQuery libraries are malicious versions of open source community modules. As we can’t account for the downloads of the actual vulnerable versions since this isn’t available from the npm registry, we should call out jquery.js which is a malicious package and accounted for 5,444 downloads in the past 12 months.

  • jQuery libraries jquery-mobile, jquery-file-upload and jquery-colorbox account to more than 340,000 downloads in the past 12 months, despite including Arbitrary Code Execution and Cross-Site Scripting security vulnerabilities and not having any upgrade path to remediate them.

jQuery library name

Vulnerability type

Disclosure date

Vulnerability severity

Yearly module downloads

Fix exists?

jquery-airload

Malicious Package

2019-08-06

high

322

n/a

jquery.json-viewer

Cross-Site Scripting

2019-07-03

medium

17,898

github-jquery-widgets

Malicious Package

2019-06-07

high

232

n/a

jquery-mobile

Cross-Site Scripting

2019-05-04

medium

54,991

jquery-file-upload

Arbitrary Code Execution

2018-11-02

low

19,442

jquery.terminal

Cross-Site Scripting

2018-08-19

medium

79,982

jquery.csssr.validation

Regular Expression Denial of Service (ReDoS)

2018-02-13

high

3,069

jquery-colorbox

Cross-Site Scripting

2017-11-14

medium

268,513

jquery.js

Malicious Package

2017-08-02

high

5,444

n/a

jquery-ui

Cross-Site Scripting

2016-07-21

high

8,934,683

jquery-ujs

Cross-Site Request Forgery (CSRF)

2015-06-24

medium

5,763,710

jquery-migrate

Cross-Site Scripting

2013-04-18

medium

1,831,735

jquery-ui

Cross-Site Request Forgery (CSRF)

2012-11-26

medium

8,934,683

jquery-mobile

Cross-Site Scripting

2012-08-01

medium

54,991

jquery-ui

Cross-Site Scripting

2010-09-02

medium

8,934,683

*malicious packages have no fix information.


Download the Report here

We highly recommend downloading the full version of the report in its digital format, but have also made the following general sections available as blog posts:

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon