Using Amazon's Alexa site index, they then scanned 133,000 websites (Alexa top 75K and 75K random .com sites) and monitored if one of the 72 libraries was loaded on each site, and what library version.
In total, researchers detected 11,141,726 JS script file inclusions and inline JS scripts. Below is a summary of the different results researchers obtained:
On top of these numbers, researchers observed other issues through second-stage analysis. For example, the median time difference between the release date of vulnerable library version (loaded on the site) and the date of the latest release of that library is 1,177 days for Alexa sites, and 1,476 days for random .com sites.
What this means is that many websites have continued to use old JS library versions, despite updates being available. On average, sites remained vulnerable for at least three to four years.
In addition, libraries loaded inline or transitively via third-party code/widgets have a higher rate of vulnerabilities compared to JS libraries loaded through direct script calls on the site.
This can be explained by the fact that developers find it generally easy to check the "scripts" section of their website and update any outdated libraries, but often forget about inlined JS code, or can't force their advertiser to use a secure version.
"The paper’s findings are a painful wake-up call," says Tim Kadlec, developer for Snyk, a service that finds vulnerabilities in JS projects. "Generally speaking, our industry has been quick to take advantage of the wealth of resources that open-source development provides, but much slower to recognize and protect ourselves from the risks that can come along with it."