Communications of the ACM, June 2018, Vol. 61 No. 6, Pages 41-47
Practice: “Thou Shalt Not Depend on Me”
By Tobias Lauinger, Abdelberi Chaabane, Christo B. Wilson
Given the risk of using a library with known vulnerabilities, it is important to know how often this happens in practice and, more importantly, who is to blame for the inclusion of vulnerable libraries—the developer of the website, or maybe a third-party advertisement, or tracker code loaded on the website?
We set out to answer these questions and found that with 37% of websites using at least one known vulnerable library, and libraries often being included in quite unexpected ways, there clearly is room for improvement in library handling on the Web. To that end, this article makes a few recommendations about what can be done to improve the situation.