On July 17, the news broke that a major security issue was reported about the Cloudflare CDNJS service. A security researcher disclosed a way for hackers to modify scripts served by CDNJS, completely overtaking CDNJS and every library on it.

That’s a huge deal, considering that nearly 13% of all websites on the Internet use Cloudflare CDNJS. According to nerdydata.com, that equates to 1,109,778 sites including Forbes, Yelp and GitLab. Even if only 50% of this list is correct, more than half a million sites could have been affected, many of which you likely use to discover, shop and interact with brands online.

Cloudflare moved quickly to address the vulnerability and there is no indication that it was exploited. But while CDNJS and the huge number of sites that rely on it dodged a bullet, online businesses shouldn’t breathe a sigh of relief just yet.

The Cloudflare incident was a close call. While, luckily, there were no victims in this case, the CDNJS discovery is a stark reminder for online businesses to understand their risk and protect themselves from script vulnerabilities before it’s too late.

Why is the CDNJS vulnerability important?

Websites today are built from a collection of scripts and libraries, most of which are pulled in from open source JavaScript libraries and vendors. Industry research shows that up to 70% of the scripts on a typical website are third party.

In an effort to move quickly, developers may introduce third-party scripts without sufficient approval or security validation. Also called shadow code, this third-party code may be frequently changed by the vendor that wrote it without your knowledge, rendering any prior security tests meaningless. These scripts may then refer to additional scripts, which call yet another set of scripts, and so on. This introduces a veritable supply (Read more...)