jQuery took web development by storm a decade ago but since then web development have been revolutionized further with single page application technologies such as Angular, and React. That said, according to W3Techs which regularly run surveys and report on web technology usage jQuery is being used within 73% of websites they scanned in August 2019.
In total, we tracked six security vulnerabilities affecting jQuery across all of its releases to date, four of which are medium severity Cross-Site Scripting vulnerabilities, one is a medium severity Prototype Pollution vulnerability, and lastly, one is a low Denial of Service vulnerability. If you’re not using jQuery 3.4.0 and above which was released only recently, on 10th of Apr, 2019, then you are using vulnerable jQuery versions.
Since jQuery is usually found in web applications as a legacy component it is important to also understand its version usage patterns and their state of security.
W3Techs reports that of all websites using jQuery, it’s 1.x release is dominating with 83.4% of share and version 2 and 3 lag far behind with roughly 8% of all jQuery usage. When looking at the known security vulnerabilities and map them out to jQuery versions we found that four medium severity Cross-Site Scripting vulnerabilities are affecting jQuery v1 which is potentially concerning considering the 83.4% market share for anybody not employing software composition analysis to find and fix vulnerabilities in their open source components.
Many websites and web applications will further make use of jQuery libraries to extend the capabilities of jQuery and will turn to community- powered libraries to do so.
We found 13 vulnerable jQuery libraries as provided in the following table and offer the following observations:
|jQuery library name||Vulnerability type||Disclosure date||Vulnerability severity||Yearly module downloads||Fix exists?|
|jquery-file-upload||Arbitrary Code Execution||2018-11-02||low||19,442||:x:|
|jquery.csssr.validation||Regular Expression Denial of Service (ReDoS)||2018-02-13||high||3,069||:white_check_mark:|
|jquery-ujs||Cross-Site Request Forgery (CSRF)||2015-06-24||medium||5,763,710||:white_check_mark:|
|jquery-ui||Cross-Site Request Forgery (CSRF)||2012-11-26||medium||8,934,683||:white_check_mark:|
*malicious packages have no fix information.
We highly recommend to download the full version of the report in its digital format, but have also made the following general sections available as blog posts: