- Check regularly if your website references external libraries. This informs you if someone has injected links to malicious external library providers.
JQuery makes it easy to create dynamic websites with advanced features, such as retrieving data from a web page or modifying data in the browser. This is also often part of the style of websites, usually as part of another package such as WordPress. My own observation from 20,000 websites is that jQuery is used in 1 in 10 websites. This number is consistent with statistics from Built With, which further indicates that more than 43 million websites use jQuery. Among the best websites, 3 out of 4 use jQuery.
What are the vulnerabilities?
What are the risks?
Risk 1. The library version is outdated and contains vulnerabilities
JQuery has several known vulnerabilities, mentioned above. When looking at the versions of jQuery in use, it is striking to see how diverse it is. Some versions are very popular; sometimes even versions of years ago. This is illustrated in the figure below. Versions prior to 1.6.3 are particularly important: these versions are the most vulnerable.
Looking at jQuery in terms of external hosting, we see the following:
- Of the 1613 websites with a jQuery script, there are 189 hosted outside their own DNS domain
- Of the 189 external libraries, there are 77 at google.com (google axis)
- Of the 189, there are 37 at jquery.com
- There are 75 other external servers
How secure are remote library servers? A quick check with Internet-Security-Scan on the 75 “other” remote servers reveals that:
- 13 remote library servers contain one or more security no-brainers (mainly SSL configuration issues).
- 2 external library servers have a bad reputation (a.o. blacklisted for malware distribution)
When for some reason it is still necessary to use an external library, select a content provider with an adequate level of security and check its security regularly. In particular, avoid library servers registered on a malware blacklist.
Risk 3. The external library contains malware
The query is generally not obfuscated but only minimized, as this places less performance requirements on the client. The fact that the obfuscation is done on a bad reputation server is suspect. Is this library obscured in order to hide malicious adjustments? For me, this is reason enough to avoid this library server.
Risk 4. A website is inadvertently using an external library
This type of attack was detected once, where the name ‘/js/jquery.min.php was used for the external library. It has nothing to do with jQuery itself; it only benefits from the fact that a link to a jQuery library will not raise suspicion. These bogus libraries are then retrieved and executed by the browser. This is an example of how malware can be distributed. Check out this blog for more details on this specific attack.
The solution to this problem is to do a regular check to see if a website is using external libraries. When the rule of thumb is that exotic external library servers should not be used, it is easy to spot a problem if a scan reports links to external libraries.