Qualys Introduces New Detection for External JavaScript Libraries
Qualys Web Application Scanning has introduced a new detection, QID 150545, to identify external JavaScript libraries used by applications. This new feature separates external libraries from QID 150176 and helps organisations manage their dependencies more effectively.
Qualys itself pioneered this functionality to highlight externally loaded JavaScript libraries, which can pose several risks. These libraries may not always be available, leading to lack of availability. They can also cause performance or functionality issues due to changes made by the external organisation. Furthermore, they may load additional JavaScript from other domains, reducing the organisation's control.
To mitigate these risks, two security measures can be employed. Sub Resource Integrity (SRI) can verify the integrity of external JavaScript files, ensuring they haven't been tampered with. Qualys WAS detects the absence of SRI with QID 150261. Additionally, Content Security Policy (CSP) can whitelist domains from where resources are loaded, preventing unauthorised scripts from running. Qualys WAS also detects the absence of CSP with QID 150206.
The introduction of QID 150545 by Qualys Web Application Scanning enables organisations to better manage external JavaScript libraries. By utilising Sub Resource Integrity and Content Security Policy, organisations can enhance the security and control over their web applications.
