JavaScript has become a popular and pervasive programming language used by many websites to build interactive content. But like other popular tools and technologies, JavaScript is beset with vulnerabilities that hackers can exploit to steal sensitive online data. A report released Tuesday by security provider Tala Security maintains that most major websites are ill-equipped to combat the flaws in JavaScript, thus putting their customer and user data at risk.

SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)

For its “2020 Global Data at Risk State of the Web Report,” Tala analyzed the security defenses of the top 1,000 websites as ranked by Alexa. This list includes major sites such as Google, YouTube, Baidu, Facebook, Yahoo, Amazon, Zoom, Netflix, and Microsoft. Citing a “troubling lack of security controls required to prevent data theft,” the report said that these sites are vulnerable to client-side attacks that exploit JavaScript vulnerabilities, including Magecart, formjacking, cross-site scripting, and credit card skimming.

The risk from JavaScript exploitation is higher in 2020 as the average website now includes content from 22 different third-party JavaScript vendors, up slightly from the level seen in 2019. Some 58% of the content that appears in a user’s browser is delivered by these third-party JavaScript integrations.

The interactive forms found on 92% of the analyzed websites expose data to on average 17 different domains. This data includes personally identifiable information (PII), login credentials, card transactions, and medical records. Based on Tala’s analysis, this data is exposed to 10 times more domains than intended, one reason Magecart, formjacking, and card skimming attacks are able to continue.

Some 99% of websites globally include multiple client-side vulnerabilities, making them attractive targets for attackers.
Image: Tala Security

Though Magecart attacks often capture the most attention, no form of attack is more pervasive than cross-site scripting (XSS). A full 97% of the websites examined are using dangerous JavaScript functions that could open the door to a DOM XSS attack. Though standards-based security controls could prevent these attacks, such controls aren’t applied consistently or frequently enough, according to Tala.

“JavaScript powers today’s rich, highly customized web experience and enables digital transformation across all industry sectors,” Tala Security founder and CEO Aanand Krishnan said in a press release. “The fact that it remains largely unguarded is both surprising and disappointing. Websites generate massive volumes of high-value data, making them a primary target for attackers. The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources.”

How can websites better guard against data theft and leakage due to JavaScript vulnerabilities? Tala recommends that site developers implement such controls as Content Security Policy (CSP), Subresource Integrity (SRI), and HTTP Strict Transport Security (HSTS), all of which can mitigate against JavaScript-based client-side attacks.

“Standards-based security controls are built-into all modern browsers and are designed specifically to address the vulnerabilities created by modern web architecture, including client-side attacks,” Tala said in its report. “Applied and managed correctly, these security standards, including Content Security Policy (CSP), Subresource Integrity (SRI), and others [such as HTTP Strict Transport Security (HSTS)] will mitigate client-side risk, including zero-day threats, offering a future-proof solution with no impact to website performance or user experience. Leveraging tools that complement these capabilities by monitoring and preventing PII and other data leakage provides a comprehensive defense-in-depth approach.”