What is a vulnerable module ?
A vulnerable module is a third-party JavaScript library with security holes that have been discovered and made public. When a vulnerability is discovered, a criticality score from 0 to 10 is determined according to several criteria (attack vector, complexity, necessary privileges, etc.) and is then classified into one of three levels:
- high, between 7 and 10: high risk
- medium, between 4 and 6.9: moderate risk
- low, between 0 and 3.9: low risk
Why are they dangerous ?
Vulnerable modules can be exploited by hackers, which, depending on the flaws, can have a more or less serious impact on the integrity and trust of a WEB site. In order not to be hacked and not to compromise user data, it is necessary to close these loopholes.
Some examples of attacks :
- XSS (Cross-Site Scripting): allows to inject code executed by the browser in a page, this code sends back for example the cookie of the users to the hacker so that he can connect to the session of a user.
- CSRF (Cross-Site Request Forgery): allows to do actions to the user without him/her being aware of it, such as deleting his/her account
- SQL Injection: allows access to database data without the necessary authorizations
- DoS (Denial of Service): disables the browser due to high CPU/memory consumption, for example
How to correct them
When a JavaScript module has recognized security flaws, it is necessary to :
- update it with a more recent version
- use an alternative module
- remove it from the website
