The OpenJS Foundation has sponsored a jQuery survey showing that a majority of websites using this ubiquitous library run unmaintained versions, concluding that privacy and security is at risk in three-quarters of a billion websites though without presenting evidence that jQuery is used in an insecure manner on these sites.
The open source jQuery JavaScript library, created by John Resig, was first released in 2006. It simplifies many common tasks faced by JavaScript developers, and has become so embedded in the community that many solutions offered by sites like Stack Overflow presume its use. The Foundation, which now hosts the jQuery project, estimates that almost 90% of the world’s websites use the software.
The survey of 500 organizations across North America and Europe showed 44 percent using version 3.6.0 or newer, which it says are maintained versions, while 59 percent use versions 1.x – 3.5.1, which are not. A relatively high number (23 percent) use version 3.5.0 or 3.5.1, which are just one upgrade away from current.
Many organizations use more than one verson, in fact it is quote common for multiple versions to be used on one site, hence the percentage figures presented.
The jQuery website does not publish an end of life policy, but does have a security policy on GitHub which states simply that “the latest released version of jQuery is supported.” At the time of writing, that is version 3.7.1 released in August. We have asked the Foundation for clarification of which versions are supported and how developers can track this information.
How risky are older versions of jQuery? Snyk lists a number of vulnerabilities, most related to cross-site scripting, such as CVE-2020-11022 which might execute untrusted code if HTML from untrusted sources is passed to the library. Security issues in jQuery are relatively uncommon, and it is just one small piece in the wider problem of vulnerable dependencies in JavaScript libraries.
While the survey makes general references to the benefit of using current versions, such as that “more current versions typically have better security and newer features,” the reality is that constantly upgrading libraries such as jQuery can be difficult, especially if they come as part of another package, or are used in custom code that lacks rigorous test coverage. The upgrade guide to jQuery Core 3.0 shows a number of breaking changes.
An example of the kinds of problems faced by developers is in this 2019 thread where a post asked “I am one of the core committers to Drupal, which relies on jQuery and jQuery UI. With jQuery UI being in Emeritus (end of life) status, it puts us into a hard place once/if jQuery 4 comes out if jQuery 3 support is stopped, because that would mean that we are using an end of life JS library based on an unsupported version of another library.” A further post recollects how it was when jQuery 3.0 was released. “Our release was November 2015; jQuery 3.0 came out in 2016. By 2017 there were security fixes not being backported to jQuery 2, so we had to do a major version upgrade to jQuery 3 mid-major and it was a big breaking change for many Drupal sites and themes.”
Keeping up to date with jQuery, as with many dependencies, is not always straightforward; and in cases like this the context for the end user is keeping Drupal, a popular content management system, up to date which itself is a challenge.
The Foundation nevertheless claims “security” is “at risk in three-quarters of a billion websites” and argues that “a behavioral change to web security is required.”
What that behavioral change might be is not stated, though the Foundation is coming up with a free “healthy web checkup tool” for organizations to run against their websites. It is currently a rather limited tool which “only checks the version of jQuery” and further, “is currently in beta and limited for use by technical evaluators and OpenJS members.” General availability is promised for early 2024.
Developers already have much more comprehensive dependency checking tools from the likes of GitHub, Snyk and Docker; but possibly this tool aims to increase awareness more than to be useful to developers themselves.
The problem is real but complex, more so than the OpenJS Foundation survey and publicity suggests.