comments (not for humans)

[Security] Scanning Fortune 500 for JavaScript libraries with known vulerabilities

February 25, 2014 - 15:21 UTC   -   Tags: retire retirejs owasp After scanning Norway and Alexa Top 100,000, I decided to scan the Fortune 500 companies. Summarized 385 (77%) out of the 500 are using JavaScript libraries with known vulnerabilities. Which means they will have problems with OWASP Top 10 2013-A9 Using Components with Known Vulnerabilities. Again I would like to stress, that using a library with a known vulnerability, does not necessarily mean the site is vulnerable, because the vulnerable code may not be used.

Libraries

In the charts below red means the version has a known vulnerability

jQuery

jQuery is a very widely used library. I was surprised however to find so many different and old versions in use

jquery 1.1.3.1
1
jquery 1.2
2
jquery 1.2.1
1
jquery 1.2.2e
1
jquery 1.2.3
1
jquery 1.2.6
9
jquery 1.3
2
jquery 1.3.1
3
jquery 1.3.2
21
jquery 1.4
7
jquery 1.4.1
5
jquery 1.4.2
53
jquery 1.4.3
6
jquery 1.4.4
24
jquery 1.5
2
jquery 1.5.0
1
jquery 1.5.1
16
jquery 1.5.2
14
jquery 1.6
1
jquery 1.6.0
1
jquery 1.6.1
4
jquery 1.6.2
14
jquery 1.6.3
1
jquery 1.6.4
19
jquery 1.7
7
jquery 1.7.0
1
jquery 1.7.1
54
jquery 1.7.2
67
jquery 1.8.0
4
jquery 1.8.1
13
jquery 1.8.2
19
jquery 1.8.3
33
jquery 1.9.0
2
jquery 1.9.1
30
jquery 1.10.1
6
jquery 1.10.2
40
jquery 2.0.3
2

jQuery UI

Loads of different versions

jquery-ui-autocomplete 1.8.1
1
jquery-ui-autocomplete 1.8.4
2
jquery-ui-autocomplete 1.8.5
3
jquery-ui-autocomplete 1.8.7
1
jquery-ui-autocomplete 1.8.9
3
jquery-ui-autocomplete 1.8.10
1
jquery-ui-autocomplete 1.8.11
4
jquery-ui-autocomplete 1.8.12
1
jquery-ui-autocomplete 1.8.13
4
jquery-ui-autocomplete 1.8.14
2
jquery-ui-autocomplete 1.8.15
1
jquery-ui-autocomplete 1.8.16
12
jquery-ui-autocomplete 1.8.18
1
jquery-ui-autocomplete 1.8.20
1
jquery-ui-autocomplete 1.8.21
3
jquery-ui-autocomplete 1.8.22
2
jquery-ui-autocomplete 1.8.23
5
jquery-ui-autocomplete 1.8.24
2
jquery-ui-autocomplete 1.9.0
1
jquery-ui-autocomplete 1.9.2
6
jquery-ui-autocomplete 1.10.0
2
jquery-ui-autocomplete 1.10.1
3
jquery-ui-autocomplete 1.10.2
6
jquery-ui-autocomplete 1.10.3
9
jquery-ui-dialog 1.7.2
1
jquery-ui-dialog 1.8.1
1
jquery-ui-dialog 1.8.4
2
jquery-ui-dialog 1.8.5
3
jquery-ui-dialog 1.8.6
1
jquery-ui-dialog 1.8.7
2
jquery-ui-dialog 1.8.9
3
jquery-ui-dialog 1.8.10
1
jquery-ui-dialog 1.8.11
2
jquery-ui-dialog 1.8.12
1
jquery-ui-dialog 1.8.13
4
jquery-ui-dialog 1.8.14
2
jquery-ui-dialog 1.8.15
1
jquery-ui-dialog 1.8.16
12
jquery-ui-dialog 1.8.18
1
jquery-ui-dialog 1.8.20
2
jquery-ui-dialog 1.8.21
3
jquery-ui-dialog 1.8.22
1
jquery-ui-dialog 1.8.23
5
jquery-ui-dialog 1.8.24
2
jquery-ui-dialog 1.9.0
1
jquery-ui-dialog 1.9.2
7
jquery-ui-dialog 1.10.0
2
jquery-ui-dialog 1.10.1
3
jquery-ui-dialog 1.10.2
6
jquery-ui-dialog 1.10.3
8
jquery-ui-tooltip 1.9.0
1
jquery-ui-tooltip 1.9.2
6
jquery-ui-tooltip 1.10.0
2
jquery-ui-tooltip 1.10.1
3
jquery-ui-tooltip 1.10.2
6
jquery-ui-tooltip 1.10.3
8

jQuery-mobile

Betas and release candidates in use here

jquery-mobile 1.0
1
jquery-mobile 1.2.0
2
jquery-mobile 1.3.1
1
jquery-mobile 1.3.2
3

YUI

The Yahoo User Interface Library is also quite widely used

YUI 2.2.2
4
YUI 2.4.1
3
YUI 2.5.2
3
YUI 2.6.0
3
YUI 2.7.0
4
YUI 2.9.0
3

Prototype.js

Quite a number of versions in use

prototypejs 1.5.1.1
2
prototypejs 1.6
1
prototypejs 1.6.0
3
prototypejs 1.6.0.1
4
prototypejs 1.6.0.2
1
prototypejs 1.6.0.3
1
prototypejs 1.6.1
1
prototypejs 1.7
4

Other

angularjs 1.0.8
3
backbone.js 0.9.2
1
dojo 0.0.0
1
dojo 1.6.0
1
dojo 1.6.1
1
handlebars.js 1.0.0
1
handlebars.js 1.0.beta.6
1
mustache.js 0.3.1-dev
1
mustache.js 0.5.0
1
mustache.js 0.7.2
1
Permalink |