Vulnerable JavaScript Libraries: The Supply Chain Risk on Every Page

Every script tag on your page is a dependency you're trusting with full access to your users' data. When one of those scripts has a known vulnerability, you're serving an exploit directly to your visitors. The average website loads 20+ external scripts, and studies consistently find that over 70% of sites include at least one library with a known CVE.

The usual suspects

jQuery is the most common offender, not because it's inherently insecure, but because it's everywhere and versions below 3.5.0 have known XSS vulnerabilities in their HTML parsing. Angular.js (the 1.x branch) has been end-of-life since 2021 and has multiple unfixed security issues. Lodash versions below 4.17.21 have prototype pollution vulnerabilities. Moment.js has ReDoS issues in certain versions. These are all popular libraries that work perfectly well — they just have old versions with known holes.

How attackers use known CVEs

A known CVE is a recipe with instructions. Attackers don't need to discover a new vulnerability — they just look up the CVE, find the proof of concept, and scan for sites running the affected version. jQuery prototype pollution, for example, can be chained with other attack vectors to achieve XSS on sites that would otherwise be protected. The attacker's effort is minimal because all the research has already been published.

CDN versions are especially sticky

Libraries loaded from CDNs tend to stay on outdated versions for years. A developer added the CDN link, it worked, and nobody ever updated it. Unlike npm dependencies that get flagged by audit tools in CI/CD pipelines, CDN script tags don't show up in dependency scans. They sit in HTML templates, CMS themes, and WordPress plugins, silently serving vulnerable code.

<!-- This is on millions of sites right now -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>

<!-- This is what it should be -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js"
  integrity="sha384-..."
  crossorigin="anonymous"></script>

Finding vulnerable libraries

For npm dependencies, run npm audit in your project. For CDN-loaded libraries, you need to scan the actual rendered page and detect library versions from the loaded scripts. Check version globals (jQuery.fn.jquery, angular.version, _.VERSION) and compare against known CVE databases. This is tedious to do manually across an entire site.

The fix is usually simple

Most of the time, the fix is updating the version number. Major version bumps may require code changes, but minor and patch updates for security fixes are typically drop-in replacements. If you can't update (legacy dependencies), consider whether you actually need the library. Many sites load jQuery for one or two functions that modern JavaScript handles natively. Always add subresource integrity hashes when loading from CDNs so a compromised CDN can't serve you tampered files.

Scan your libraries

KrakenProbe detects JavaScript libraries on your page, identifies their versions, and checks them against known vulnerability databases. Run a free scan to find out if you're serving known exploits to your users.