Preventing the Usage of Vulnerable JavaScript Libraries

Apr 4, 2017


In this short informational blog post we would like to

  • point out the dangers of deploying vulnerable third-party JavaScript libraries in web projects and
  • reference 2 tools that check for outdated libraries.


Recent context of this topic is a new study in which researchers systematically scanned more than 133.000 prominent websites for outdated JavaScript libraries [1]. Result of this study is that more than a third of the scanned websites employ at least one library with a known vulnerability. Many sites even ship JavaScript libraries which have not been updated for years.

Third-party JavaScript libraries are often handy for quickly building up interactive and good-looking web application, but are later forgotten or seen as a static asset. Reluctance to update third-party libraries also originates from the fact that such updates often entail new testing efforts.

However, from a security perspective the world is changing every day. Even for the most widespread libraries, those which are often considered mature and reasonably secure, the publication of a single vulnerability can put thousands of websites at stake from one day to the other. Typical vulnerabilities in JavaScript libraries often allow attackers to perform cross-site scripting attacks and thus impair the security of all website users. A more detailed discussion of risks when employing third-party JavaScript libraries in web application projects can be found on the following OWASP page: [5].

Staying up to date

We recommend to regularly check whether new library versions are available. Ideally, one project member should subscribe to security or announcements newsletters of vital third-party dependencies (if such channels exist). Of course, this task of manually staying up to date is tedious and prone to incidents slipping through the net. Hence, we additionally recommend two little tools here which help to recognise whether outdated third-party libraries are used. Both tools are free software.


Retire.js is a light-weight tool that scans a specified folder for references to vulnerable JavaScript libraries [4]. A list of vulnerable libraries including links to a description of the respective vulnerabilities is shipped with Retire.js. Hence, Retire.js has to be updated regularly (e.g. via git pull). For testing, it can also be integrated into grunt, used as a Chrome or Firefox plugin or inside the HTTP proxies Burp and OWASP Zap.

OWASP Dependency Check

In this regard, we also recommend using “OWASP Dependency Check” [2]. This utility scans a project for dependencies (e.g. all jar files in the project path) and checks those against vulnerability databases (e.g. the well-known NIST CVE database [3]). Currently, it primarily aims at Java and .NET projects. In addition to the simple usage as a command line tool, Dependency Check can be integrated into the automated build process (plugins for Maven, Ant, Gradle and Jenkins are available).


Recent posts

mgm sp @ Heise DevSec

With the topic “How practical is DevSecOps really? – A field report” our colleague Maximiliane Zirm is present at this year’s Heise devSec. 

read more

Tool Tuesday – nmap

One tool which should be installed on every pentester PC is nmap. This command line tool is the Swiss army knive for penetration tests on network level, but also used regularly by system administrators.

read more

mgm sp @ Munich

Our head office is located in the heart of Bavaria, since the time of SecureNet. Come have a look!

read more