A group of researchers from Northeastern University has published a new study of 133,000 websites which found that 37 percent used at least one JavaScript library with a known security vulnerability. According to the analysis, “36.7 percent of jQuery, 40.1 percent of Angular, 86.6 percent of Handlebars, and 87.3 percent of YUI inclusions use a vulnerable version.” Not surprisingly, less-popular websites (those not on the Alexa top 100) were more likely to have vulnerabilities.
The report concludes, “Perhaps our most sobering finding is practical evidence that the JavaScript library ecosystem is complex, unorganized, and quite ‘ad hoc’ with respect to security.”