Risky Library Detection

This check scans your page source and inline scripts for known-bad and known-deprecated JavaScript libraries: compromised supply-chain hosts, end-of-life frameworks, vulnerable versions of major libraries, and libraries flagged for migration. Each finding deducts points; the most impactful single finding (polyfill.io) takes the whole 10-point weight by itself.

How the check works

Per primary host, the check builds a blob from the response HTML and inline scripts, then runs pattern matches against a deny list. Per-finding deductions stack but cap at 10 (the full weight):

• polyfill.io (deduction 10, reason: polyfill_io_detected): the polyfill.io domain was acquired by a Chinese CDN in early 2024 and began serving malicious code mid-2024 to over 100,000 sites. Any reference to polyfill.io is treated as critical.
• AngularJS / Angular 1.x (deduction 10, reason: eol_framework_detected): end-of-life since January 2022. No security patches are issued.
• jQuery < 3.5.0 (deduction 7, reason: vulnerable_library_detected): pre-3.5 versions have known XSS vulnerabilities (CVE-2020-11022, CVE-2020-11023).
• Bootstrap 3.x before 3.4.1, or Bootstrap 4.x before 4.3.1 (deduction 7, reason: vulnerable_library_detected): XSS in tooltip / popover components (CVE-2018-14041, CVE-2019-8331, etc.).
• Lodash < 4.17.21 (deduction 7, reason: vulnerable_library_detected): prototype pollution (CVE-2020-8203, CVE-2021-23337).
• moment.js any version (deduction 3, reason: moment_js_detected): not vulnerable per se, but the project is in maintenance-only mode and the maintainers explicitly recommend migrating to a modern alternative.

Score = (10 - deduction) / 10. Verdict via the standard tech composite mapping.

How the verdict maps to evidence

• Pass: no risky libraries detected.
• Warn: only the moment.js signal (deduction 3 = score 0.7).
• Fail: polyfill.io, AngularJS, or any vulnerable jQuery/Bootstrap/Lodash version.

Special states

• Not Applicable: primary serves a default/empty placeholder.
• Degraded: probe data unavailable. Fix Web Assessability first.

Fix per finding

polyfill.io (critical)

Treat as an active supply-chain compromise. The domain was sold to a Chinese CDN in February 2024; by June 2024 it was serving malicious code to user browsers (Cloudflare and other observers reported real attacks). Any reference must come out immediately:

• Search your codebase: grep -rE 'polyfill\.io' --include='*.html' --include='*.js' --include='*.tsx' --include='*.jsx' .
• Check templates, third-party widgets, ad tags, analytics snippets, and CDN includes.
• Replace with self-hosted polyfills, the Cloudflare-hosted polyfill.io fork (cdnjs.cloudflare.com/polyfill/), or modern code that does not need polyfills (most pre-2018 polyfill needs are now native browser features).
• Verify by searching CT logs and third-party SBOM tools for polyfill.io references.

AngularJS (EOL framework)

AngularJS (Angular 1.x) reached end-of-life on December 31, 2021. No security patches since. Migration paths:

• Migrate to Angular (2+, current version 17+). Substantial rewrite but the supported successor.
• Migrate to React, Vue, or Svelte. Simpler frameworks, easier hire pool.
• Use ngUpgrade for incremental migration if you must keep the AngularJS app running during transition.
• If migration is genuinely impossible short-term: lock down the AngularJS deployment with strict CSP, isolate the app behind authentication, and accept the risk explicitly.

jQuery < 3.5.0

<!-- Replace: -->
<script src="https://cdn.example.com/jquery-3.4.1.min.js"></script>

<!-- With (current): -->
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/jquery.min.js"
        integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPr0iMW1wG8R1yT8fp0iUtVPGqVzt1NQzyN"
        crossorigin="anonymous"></script>

<!-- Or migrate off jQuery entirely; modern browsers support most jQuery
     features natively (querySelector, fetch, classList, etc.). -->

Bootstrap (vulnerable versions)

Bootstrap 3.x is end-of-life. Bootstrap 4.x is supported but vulnerable below 4.3.1. Bootstrap 5.x is current. Migration:

• If on 3.x: upgrade to 5.x. Significant CSS / markup changes; plan a refactor.
• If on 4.x below 4.3.1: bump to 4.6.2 (last 4.x release) as a quick fix; plan migration to 5.x for long-term support.
• If on 5.x: ensure you are on a current minor release; the project keeps shipping security and feature fixes.

Lodash < 4.17.21

# Bumping in package.json:
npm install [email protected]

# Or migrate off Lodash for new code; modern JS has many of Lodash's
# features natively (Array.flat, Array.flatMap, Object.entries,
# Object.fromEntries, structuredClone, etc.).

moment.js (deprecated)

moment.js is in maintenance mode; the team recommends new code use modern alternatives. Choose based on need:

• date-fns: functional, tree-shakeable, ~3KB per function. Best for new code.
• Luxon: from the moment.js team itself. Class-based API similar to moment.
• Day.js: similar API to moment, much smaller (~2KB). Good drop-in replacement.
• Temporal: native browser API (still being standardized). Future-proof but not yet universally supported.

Verify the fix

• View page source for any references to polyfill.io, angular.js, jquery-X.Y.Z, bootstrap-X.Y.Z, lodash, or moment.
• DevTools → Sources panel: list all loaded scripts, check versions in URL paths.
• Run snyk or npm audit on your package.json for full dependency-tree vulnerability scanning beyond what this check sees.
• Re-run the RedScore lookup. The score recovers immediately on the next scan after removing flagged libraries.

Common pitfalls

• polyfill.io still loaded by an embedded widget. Some old marketing widgets and analytics tags include polyfill.io as a dependency. Audit every embedded third-party tag, not just your direct includes.
• Library version not in URL. Some bundlers concatenate libraries inline; the check sees the inline content. Check inline scripts as well as external src tags.
• Self-hosted vulnerable copy. Hosting jQuery 3.4.1 on your own CDN does not make it safe; the version is what matters. Upgrade the version, not just the hosting.
• Bootstrap CSS-only without JS. The XSS issues are in Bootstrap's JavaScript components (tooltips, popovers, modals). If you use Bootstrap purely for CSS without the JS, the vulnerabilities do not affect you, but the check still flags the version. The fix is the same: upgrade.
• moment.js shipped via dependency tree. If a third-party library you use depends on moment.js, you cannot remove moment.js without replacing or upgrading that dependency. Run npm ls moment to find the path.
• Detection is signature-based. The check uses pattern matches; obfuscated, minified, or unusually-named versions of these libraries may slip through. Conversely, mentions in inline comments or docs may falsely trigger. Treat findings as the start of an audit, not the end.
• Other vulnerable libraries the check does not catch. The deny list is fixed; many other libraries have known vulnerabilities. Use snyk, npm audit, GitHub Dependabot, or similar for full coverage.