Vulnerable module

What is a vulnerable module ?

A vulnerable module is a third-party JavaScript library with security holes that have been discovered and made public. When a vulnerability is discovered, a criticality score from 0 to 10 is determined according to several criteria (attack vector, complexity, necessary privileges, etc.) and is then classified into one of three levels:

  • high, between 7 and 10: high risk
  • medium, between 4 and 6.9: moderate risk
  • low, between 0 and 3.9: low risk

Why are they dangerous ?

Vulnerable modules can be exploited by hackers, which, depending on the flaws, can have a more or less serious impact on the integrity and trust of a WEB site. In order not to be hacked and not to compromise user data, it is necessary to close these loopholes.

Some examples of attacks :

  • XSS (Cross-Site Scripting): allows to inject code executed by the browser in a page, this code sends back for example the cookie of the users to the hacker so that he can connect to the session of a user.
  • CSRF (Cross-Site Request Forgery): allows to do actions to the user without him/her being aware of it, such as deleting his/her account
  • SQL Injection: allows access to database data without the necessary authorizations
  • DoS (Denial of Service): disables the browser due to high CPU/memory consumption, for example

How to correct them 

When a JavaScript module has recognized security flaws, it is necessary to :

  • update it with a more recent version
  • use an alternative module
  • remove it from the website