As an SEO consultant I’ve spent a LOT of time looking through Google Lighthouse audits and it’s rare to view a popular website today which does NOT use jQuery, stats indicate around 75% of websites use jQuery!
jQuery is a Security Vulnerability!
The majority of website I look at run with a vulnerable version of jQuery, below are a few examples of popular brand websites with vulnerabilities.
Coca-Cola Website Vulnerabilities
The security vulnerabilities include Cross-site Scripting (XSS), Prototype Pollution, Regular Expression Denial of Service (ReDoS), Denial of Service (DoS) and Arbitrary Code Execution cyber-security issues!
Considering the size of Coca-Cola their on-site SEO is atrocious, they’ve even made the basic SEO mistake of having their homepage title tag as Home! I might have to do a full Coca-Cola website SEO review one day.
Hard to believe, but as a UK citizen I can’t even access the US version of the Coca-Coal website: I receive a 403 ERROR The request could not be satisfied. The Amazon CloudFront distribution is configured to block access from your country. I am however allowed to access the Russian and Chinese versions of the Coca-Cola website. WoW!
Camping World Website Vulnerabilities
According to Lighthouse the Camping World main website homepage uses jQuery UI@1.11.2 which has 1 High Severity security issue. The security vulnerability is Cross-site Scripting (XSS).
Interestingly looking through the Camping World homepage HTML code indicates the use of other jQuery libraries including jQuery 3.4.1 and jQuery 1.11.1.
Specifically for IE 9 Web Browser users jQuery 3.4.1 and for IE 8 Web Browser users jQuery 1.11.1. I wonder if they aren’t listed by Lighthouse because the scripts are only loaded when accessed by the Microsoft Internet Explorer versions 8 and 9?
The obvious solution to these security vulnerabilities is either completely remove the need for Bootstrap and jQuery on the front-end, upgrade Bootstrap and jQuery to the latest release OR be 100% certain the conditions required for a malicious hacker to take advantage of those 8 security vulnerabilities are NEVER available.
The third option should be your last resort, no matter how good you believe you are at server security there’s always someone smarter than you, so either remove/replace the Bootstrap/jQuery features or UPGRADE ASAP.
How to Avoid jQuery Features?
The website you are on now runs under WordPress and jQuery is a part of the WordPress Dashboard, so even if I avoided all WordPress themes and plugins which rely on jQuery to output webpages, jQuery is still used by this website.
WordPress themes and plugins use jQuery for ‘flashy’ features like image sliders, if you see a date picker or color code picker built into a theme or plugin it’s probably created using jQuery. It is really hard to build a website in 2020 without using jQuery, but it’s not impossible.
The above amazing Lighthouse result were achieved by avoiding using jQuery altogether, but that’s not possible for all websites, some require ‘flashy’ features. The SEO Gold About Page uses a WordPress Contact Page Plugin which requires jQuery. Run the about page URL through Lighthouse and you will see it still has awesome Lighthouse results.
I achieved the above amazing Lighthouse results on a webpage requiring jQuery by updating the version of jQuery used by WordPress to version 3.5.*. The about Page still uses jQuery, but it’s using version 3.5.* which currently has no known security vulnerabilities.
Unfortunately the WordPress development team are highly unlikely to upgrade the WordPress core version of jQuery in the foreseeable future. It’s because WordPress has had to take into account old WordPress themes and plugins which will break if WordPress updates the core version of jQuery built into WordPress, so WordPress has made the decision NOT to update jQuery!
WordPress is stuck with jQuery version 1.12.4 which is VERY old, but it doesn’t mean you have to use it on your website, upgrade jQuery and don’t use any themes or plugins which break in jQuery 3.5+.