The Google Lighthouse audits tool includes a set of Best Practices website tests, one of which checks for vulnerable versions of popular front-end JavaScript Libraries like jQuery, BootStrap, LoDash, HandleBars etc… When Lighthouse find an old version of a JavaScript library (like jQuery v1.12.4 built into WordPress) it outputs the security warning:
Includes front-end JavaScript libraries with known security vulnerabilities
As an SEO consultant I’ve spent a LOT of time looking through Google Lighthouse audits and it’s rare to view a popular website today which does NOT use jQuery, stats indicate around 75% of websites use jQuery!
jQuery is a Security Vulnerability!
jQuery is so complex as a JavaScript library that given time smart hackers will eventually find a security vulnerability. As I write this article in May 2020 the latest version of jQuery is version 3.5.0 which was released on April 10th, 2020. jQuery 3.5.0 included multiple security fixes because ALL old version of jQuery has security vulnerabilities and we can pretty much assume a smart hacker will find a vulnerability in version 3.5.0.
Vulnerable Websites
The majority of website I look at run with a vulnerable version of jQuery, below are a few examples of popular brand websites with vulnerabilities.
Before you think you are OK having a vulnerable website because the brands below haven’t fixed their issues, there’s other big brands with ZERO vulnerable JavaScript libraries including: Apple, Amazon, eBay, Tescos, Disney and many others, there’s no excuse for ignoring cyber security issues in 2020.
Coca-Cola Website Vulnerabilities
According to Lighthouse the Coca-Cola homepage uses three vulnerable JavaScript libraries with a total of 8 security vulnerabilities. Coca-Cola uses the following vulnerable JavaScript libraries: jQuery v1.12.4, LoDash v4.17.10 and Handlebars v4.0.11.
The security vulnerabilities include Cross-site Scripting (XSS), Prototype Pollution, Regular Expression Denial of Service (ReDoS), Denial of Service (DoS) and Arbitrary Code Execution cyber-security issues!
Considering the size of Coca-Cola their on-site SEO is atrocious, they’ve even made the basic SEO mistake of having their homepage title tag as Home! I might have to do a full Coca-Cola website SEO review one day.
Hard to believe, but as a UK citizen I can’t even access the US version of the Coca-Coal website: I receive a 403 ERROR The request could not be satisfied. The Amazon CloudFront distribution is configured to block access from your country. I am however allowed to access the Russian and Chinese versions of the Coca-Cola website. WoW!
Camping World Website Vulnerabilities
According to Lighthouse the Camping World main website homepage uses jQuery UI@1.11.2 which has 1 High Severity security issue. The security vulnerability is Cross-site Scripting (XSS).
Interestingly looking through the Camping World homepage HTML code indicates the use of other jQuery libraries including jQuery 3.4.1 and jQuery 1.11.1.
Specifically for IE 9 Web Browser users jQuery 3.4.1 and for IE 8 Web Browser users jQuery 1.11.1. I wonder if they aren’t listed by Lighthouse because the scripts are only loaded when accessed by the Microsoft Internet Explorer versions 8 and 9?
The Camping World RV Sales section of the site is much more concerning. When tested with Lighthouse there are 8 “Includes front-end JavaScript libraries with known security vulnerabilities” detected!
You can see the RV sales section of the Camping World website has a lot of JavaScript security vulnerabilities, 5 related to Bootstrap 3.3.7 and 3 related to two jQuery scripts.
The obvious solution to these security vulnerabilities is either completely remove the need for Bootstrap and jQuery on the front-end, upgrade Bootstrap and jQuery to the latest release OR be 100% certain the conditions required for a malicious hacker to take advantage of those 8 security vulnerabilities are NEVER available.
The third option should be your last resort, no matter how good you believe you are at server security there’s always someone smarter than you, so either remove/replace the Bootstrap/jQuery features or UPGRADE ASAP.
How to Avoid jQuery Features?
The website you are on now runs under WordPress and jQuery is a part of the WordPress Dashboard, so even if I avoided all WordPress themes and plugins which rely on jQuery to output webpages, jQuery is still used by this website.
WordPress themes and plugins use jQuery for ‘flashy’ features like image sliders, if you see a date picker or color code picker built into a theme or plugin it’s probably created using jQuery. It is really hard to build a website in 2020 without using jQuery, but it’s not impossible.
It is possibly to build the front-end (what we see in a browser) of a website without jQuery, for example all but one webpage on this site avoids jQuery, so when tested with Lighthouse there’s no Includes front-end JavaScript libraries with known security vulnerabilities you find with most WordPress sites.
The above amazing Lighthouse result were achieved by avoiding using jQuery altogether, but that’s not possible for all websites, some require ‘flashy’ features. The SEO Gold About Page uses a WordPress Contact Page Plugin which requires jQuery. Run the about page URL through Lighthouse and you will see it still has awesome Lighthouse results.
I achieved the above amazing Lighthouse results on a webpage requiring jQuery by updating the version of jQuery used by WordPress to version 3.5.*. The about Page still uses jQuery, but it’s using version 3.5.* which currently has no known security vulnerabilities.
Unfortunately the WordPress development team are highly unlikely to upgrade the WordPress core version of jQuery in the foreseeable future. It’s because WordPress has had to take into account old WordPress themes and plugins which will break if WordPress updates the core version of jQuery built into WordPress, so WordPress has made the decision NOT to update jQuery!
WordPress is stuck with jQuery version 1.12.4 which is VERY old, but it doesn’t mean you have to use it on your website, upgrade jQuery and don’t use any themes or plugins which break in jQuery 3.5+.
David Law