Last updated on: November 16, 2022
A new QID is added that will separate the external JS libraries, QID 150545. This new QID can be will be detected in both Discovery and Vulnerability scans.
Lack of Availability
If JS is loaded from an external domain, the domain needs to be always available. If the loading fails, the JS will not be loaded into the application. Additionally, the file could be renamed, or the URL could change and this would also cause the resource to fail to load.
When utilizing external JS, the external organization controls the source. Any changes made to the source file will be loaded into the application. This may cause performance or functionality issues.
This is becoming more negligible, however utilizing external resources will lead to overall slower page loads.
4th Party JS
The external, or third party, JS may load additional JS from other domains. The more abstracted the JS becomes the less control an organization will have.
Sub Resource Integrity (SRI)
SRI allows for a hash of the file to be verified when fetching the JS file. This will ensure the file has not been modified from what is expected.
Qualys WAS will detect if SRI is not in use with QID 150261 Sub Resource Integrity (SRI) Not Implemented
Content Security Policy (CSP)
CSP allows developers to whitelist domains from where resources are loaded. This includes JS, images, font and more.
Qualys WAS will detect if CSP is not in use with QID 150206 Content-Security-Policy Not Implemented