Your dependencies are not dependable
These libraries simplify common development patterns like manipulating HTML page elements, providing application structure, and simplifying user interface construction.
The researchers looked at 75,000 of the top Alexa-ranked websites and at 75,000 randomly chosen .com websites. They found at least 36.7 per cent of jQuery, 40.1 per cent of Angular, 86.6 per cent of Handlebars, and 87.3 per cent of YUI (the discontinued Yahoo! User Interface Library) implementations employ a vulnerable version.
"Alarmingly, many sites continue to rely on libraries like YUI and SWFObject that are no longer maintained," the paper says. "In fact, the median website in our dataset is using a library version 1,177 days older than the newest release, which explains why so many vulnerable libraries tend to linger on the web."
"If not isolated in a frame, these libraries gain full privileges in the including site's context," the paper says. "Thus, even if a web developer keeps library dependencies updated, outdated versions may still be included by badly maintained third-party content."
The researchers say there's no easy fix, noting that existing remediation strategies look doubtful because "less than 3 per cent of websites could fix all their vulnerable libraries by applying only patch-level updates." For the rest, the update required would introduce incompatibilities that could break the application.
But the researchers found only 1.1 per cent of websites that depend on jQuery implement this capability.