Skip to main content
Category

jQuery Security

OpenJS Foundation Warns Consumer Privacy and Security at Risk in Three-Quarters of a Billion Websites

By Announcement, Blog, jQuery, jQuery Security

OpenJS Foundation reports poor security practices across industries in North America, UK and Europe

SAN FRANCISCO – November 1, 2023 – Global web infrastructure is in a precarious position based on new research by the OpenJS Foundation thanks to an OpenSSF grant.

The OpenJS Foundation is announcing the results of an end-user audit based on an IDC survey that shows three-quarters of a billion websites are running out of date software, with most capturing personal and financial information. Over one-third of respondents confirm having experienced a security incident in the last 24 months.

The OpenJS Foundation analyzed the IDC survey results of this end-user audit and other data points and estimated that of the 1.9 billion websites worldwide, almost 90% use the open source software jQuery, and one-third of those, over three-quarters of a billion sites, require an upgrade. Due to the size of the problem, the OpenJS Foundation suggests that a behavioral change to web security is required.

Key findings:

  • 89% of random survey respondents reported knowing the use of jQuery on their internet-facing websites
  • 80% of these organizations capture vital information such as personal identifiable information (PII), including payment information (52%) location (64%), contact information (80%)
  • Websites are essential or high priority for 85% of respondents
  • The business damage from security incidents is severe with 28% reporting loss of customers and 29% reporting loss of revenue. Additionally, 39% reported regulatory violations, and 45% reported brand damage
  • Better security is the #1 motivation for upgrading for 48% of respondents

The end-user audit conducted by IDC surveyed more than 500 people in 23 industries across North America, UK and Europe, representing small, medium and large organizations. 

It is the responsibility of business owners and developers to make their websites secure. Getting actionable information is a key part of the process. Keeping packages up to date is an important way to improve security. Any one package may not be a site’s main security issue and packages can be abused, or used in ways that open up security problems.

Al Gillen, group vice president, Software Development and Open Source IDC, IDC, in a blog post published today on the OpenJS Foundation blog, states: “The take-away from this study is simple: jQuery users have access to a robust, community-supported technology that is free from subscription costs for them to acquire or use, and this project is seeing continual investment and enhancement. Users are already enjoying considerable benefits from the technology, but if you are not using current versions, you owe it to your business to move forward to a supported version to maximize the benefit and minimize any potential risks.” Full IDC blog post is available here.

“There’s a big problem when three-quarters of a billion websites need an upgrade of just one open source project. It leads us to believe companies are using more outdated and unsupported technologies and potentially putting consumers at risk,” said Robin Bender Ginn, executive director of OpenJS Foundation. “To solve a problem of this scale, we need to start thinking about regular assessments of website technology, similar to how people visit their doctor every year for a physical medical checkup.” 

As a result of the study, the OpenJS Foundation is developing a free Healthy Web checkup tool. It will be provided widely to businesses and organizations around the world. The OpenJS Foundation is also seeking to partner with governments, businesses, and consumer advocacy organizations to better the health of the global web economy. 

jQuery made web page development approachable to everyone, but has led to millions of websites remaining on older, unsupported versions. Even as the jQuery Team releases security fixes, these sites often don’t update and remain vulnerable. 

The IDC survey, the Healthy Web checkup tool, and many security improvements were funded by an Alpha-Omega grant. As an associated project of the Open Source Security Foundation, Alpha-Omega’s mission is to catalyze sustained security improvements to the most critical open source software and ecosystems. 

“Many of our engagements start with an audit and then fund security fixes. This situation called for a different approach and we were keen to help,” said Bob Callaway, co-lead of the Alpha-Omega project and engineering manager of Google’s Open Source Security Team. “The Healthy Web checkup tool will be an innovative solution to a thorny problem,” he added. “This problem is not unique to jQuery. We’re hopeful this work can be extended to help everyone understand and mitigate the global risk.” 

“Secure open source software is a public good,” said Omkhar Arasaratnam, general manager of the Open Source Software Foundation (OpenSSF). “We applaud the OpenJS Foundation for making the web more secure through the OpenJS Healthy Web checkup.”

The OpenJS Healthy Web checkup tool takes 5 seconds and currently only checks the version of jQuery. It is a great indicator of whether or not organizations have implemented security practices because of how ubiquitous it is and how easy it is to test.

“The first step to improve the health of your website is to find out if your technology stack needs to be upgraded,” said Michał Gołębiowski-Owczarek, jQuery Core Team member and Senior Staff Software Engineer at Sumo Logic. “We’re constantly improving the security and performance of jQuery and ask people to check the versions of software used on their sites either with the upcoming Healthy Web checkup tool from the OpenJS Foundation or their own assessment.” 

“It is everyone’s responsibility to make their own websites secure. That’s not always a simple task, but ensuring packages are up to date can be a good place to start,” said Timmy Willison, Team Lead for jQuery Core and Lead Front-End Engineer at worbler.ai. “The jQuery Team is pleased to work with the OpenJS Foundation as a part of this Healthy Web checkup campaign. Please join with us and the OpenJS Foundation to help improve the health of the consumer web.” 

“Consumer-facing software requires regular maintenance. Checking for updates from packages like jQuery and keeping your website secure is essential. The open web plays such an important role in modern life,” said Timo Tijhof, Infrastructure Lead for jQuery and Principal Engineer at the Wikimedia Foundation. “Like going to a doctor for regular checkups, auditing your website regularly is key to good web health. Please do your part!”

The OpenJS Foundation is assessing expanding the checkup tool to include additional open source JavaScript projects critical to the health of the web.

The OpenJS Healthy Web checkup tool is currently in beta and limited for use by technical evaluators and OpenJS members. General availability is planned for early 2024. OpenJS Foundation is actively seeking partner organizations to join in this important effort.

The new IDC study is freely available: The Benefit of Modernizing jQuery Deployments

OpenJS Resources

To learn more about how you could be a part of the OpenJS Foundation, click here.

About OpenJS Foundation

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 35 open source JavaScript projects including Appium, Electron, Jest, jQuery, Node.js, and webpack and is supported by 26 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Microsoft, and the Sovereign Tech Fund. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value. 

About Alpha-Omega

Alpha-Omega is an associated project of the OpenSSF, established in February 2022, funded by Microsoft, Google, and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed quickly. For more information please visit the Alpha-Omega website.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org. 

About Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1000 members and is the world’s leading home for collaboration on open source software, open standards, and open hardware. Linux Foundation projects like Linux, Kubernetes, Node.js and more are considered critical to the development of the world’s most important infrastructure. Its development methodology leverages established best practices and addresses the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit their website.

This post was originally published on PR Newswire.

Better Features and Operational Benefits Come with Current jQuery Use

By Blog, jQuery, jQuery Security

Sponsored guest post by Al Gillen, International Data Corporation (IDC)

After decades of being sequestered in a back room and treated as a service department for other parts of the business, information technology (IT) professionals now enable modern, critical business operations. In many organizations today, IT is becoming integral to and inextricably intertwined with the business. Accompanying this newfound attention comes increased expectations and increased responsibility to ensure that applications, application services, and data services are robust, feature-rich and secure.

As a result, the pressure on IT departments to perform well and deliver quickly is increasing, thanks to greater corporate reliance upon the applications, websites, and cloud services used to operate and promote the business. In many cases, the software directly powering today’s external-facing solutions is open source, and in the majority of scenarios, there is reliance, at least in part, upon open source software (OSS) technologies in the underlying software stack. 

OSS is available in a multitude of formats and support models. For many critical enterprise deployment scenarios, OSS technologies must have a reliable governance model and a large and healthy community surrounding the technology. In some cases, there is also a commercial support option. Of course, if the technology is available with ongoing maintenance and upgrades at no subscription cost for accessing that ecosystem, that is a real bonus. 

Such is the case for jQuery, which continues to evolve with new features and stronger security thanks to an engaged and attentive community organized by and supported by the OpenJS Foundation, a Linux Foundation organization. The OpenJS Foundation, working with its community, continues to deliver regular updates to the widely-used jQuery solution.

IDC conducted research on the use of jQuery in the U.S., Germany and the U.K., with a total of 509 survey respondents in those three countries representing small, medium and large businesses across 23 distinct industries. The survey participants were selected based on knowing their company’s use of internet-facing websites, but were not qualified based on knowledge of or confirmed use of jQuery. After that qualification, the study found that 89% of the respondents confirmed knowledge of the use of jQuery on their internet-facing websites. This data indicates that jQuery is heavily deployed throughout Internet-facing websites today.

This IDC study focused on gauging how current the customer base is, in terms of the versions of jQuery deployed to support internet-facing websites. The good news is that 44% of organizations that IDC contacted are using current versions of jQuery on at least some of their Internet-facing websites. But the less good news is that over half of the respondents are either slightly behind or significantly behind on the versions of jQuery in use on their websites, with those respondents citing the use of a version of jQuery that is no longer under maintenance by the OpenJS Foundation and its community. Unfortunately, many users are unaware of what versions of jQuery are under active support today.

There are, of course, risks associated with using any software that may no longer be under current maintenance, and this concern is not limited to open source software; the same would be true of using proprietary software that is no longer supported, patched, and updated.

But equally important is that some of the best features that a given technology offers are typically found in the most modern versions. These cutting-edge features often are used by digital innovators to create differentiation for their customer experience or the user experience associated with the products and services they deliver.

Further compounding the risks associated with using out-of-support versions of jQuery is that most organizations that completed this survey indicated that they are using jQuery for capturing and processing personally identifiable information (PII). Across the survey sample, including respondents using in-support and out-of-support versions of jQuery, 80% of the respondents are capturing one or more types of PII. For organizations using versions of jQuery that pre-date version v3.6.0, this data capture can represent a potential risk, as any mishandling of PII could potentially lead to regulatory compliance issues for the business.

The good news is that most organizations say they are either up to date or have the ability to get there. In fact, 3 out of 4 respondents fall into this camp. The other quarter of the respondents to this survey say they will need help or cannot update their jQuery instances. Even in the case of the 36% who say they can get current (roughly half of the 75% that say they are current or can get current), the urgency to make that upgrade – even with the capture of PII and the lack of ongoing support from the jQuery community – is not enough motivation to make such an upgrade a high priority.

The take-away from this study is simple: jQuery users have access to a robust, community-supported technology that is free from subscription costs for them to acquire or use, and this project is seeing continual investment and enhancement. Users are already enjoying considerable benefits from the technology, but if you are not using current versions, you owe it to your business to move forward to a supported version to maximize the benefit and minimize any potential risks. 

OpenSSF Project Alpha-Omega Invests in the OpenJS Foundation and jQuery to Help Secure the Consumer Web

By Announcement, Blog, jQuery, jQuery Security

By: Robin Ginn, Executive Director, OpenJS Foundation and Brian Behlendorf, General Manager, OpenSSF

Today, we’re excited to share that the Open Source Security Foundation (OpenSSF) Project Alpha-Omega is committing $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code.

This is the second funded project coming from the OpenSSF to the OpenJS Foundation, the neutral home for JavaScript and the web. Earlier this year OpenSSF selected Node.js as its initial project, committing $300,000 to focus on improving supply chain security. 

OpenJS, working with the jQuery maintainers and industry experts, will undertake three core initiatives under this grant: an ecosystem risk audit, an expansion of its infrastructure modernization project, and a web modernization campaign.

“There’s a lot of work to be done to help secure the consumer web,” said Michael Scovetta, Alpha-Omega co-lead and Principal Security PM Manager at Microsoft. “We believe partnering with the vendor-neutral OpenJS Foundation is a great way to communicate out broadly to developers and to work with technology partners to reduce potential security incidents for jQuery. This is a wide ranging effort that is by no means simple.” 

jQuery Core is still actively maintained, and the maintainers have taken steps to consolidate and modernize its infrastructure with support from the OpenJS Foundation including migrating and improving its CDN. jQuery is still used by 77% of the world’s top 10 million websites, but one-third of those sites are still using 15-year-old legacy jQuery 1.x when they should be using a much more current version.

As part of its modernization initiative, OpenJS Foundation has also helped jQuery with two projects under the jQuery umbrella through a careful transition: jQuery UI and jQuery Mobile. However, there is much work to be done to fully understand and mitigate potential risks.  

“The use of ubiquitous technologies like jQuery is invisible to most, however potential problems could affect millions of websites. And, there’s no one-size-fits-all solution. This is exactly the type of project that the OpenSSF is looking to support, and we are excited to be working on our second project with the OpenJS Foundation, helping to advance open source security for all,” said Michael Winser, Alpha-Omega co-lead and Group Product Manager for Software Supply Chain Security and CI/CD at Google. “We are pleased to be committing to this project with the OpenJS Foundation and jQuery.”

The OpenJS Foundation  and OpenSSF are looking forward to working closely together to help developers around the globe improve their open source security readiness!


If you’re interested in finding out how you can help, please contact the OpenJS Foundation via https://openjsf.org/collaboration/.