保護DataHogo
Security Encyclopedia/Frontend & Browser
lowCWE-353A08:2021

Missing Subresource Integrity (SRI)

CDN-hosted scripts and stylesheets loaded without the integrity attribute, meaning a compromised CDN can serve malicious versions of your dependencies to all your users.

How It Works

SRI lets you include a cryptographic hash of a resource in the HTML. The browser computes the hash of the downloaded file and refuses to execute it if it doesn't match. Without SRI, if the CDN is compromised (as has happened with cdnjs, polyfill.io, and others), your users run whatever the CDN serves.

Vulnerable Code
<!-- BAD: CDN script without integrity check -->
<script src="https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js"></script>
Secure Code
<!-- GOOD: SRI hash ensures file hasn't changed -->
<script
  src="https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js"
  integrity="sha256-qXBd/EfAdjOA2FGrGAG+b3YBn2tn5A6bhz+LSgYD96k="
  crossorigin="anonymous"
></script>

Real-World Example

In 2024, polyfill.io (a widely used CDN serving browser polyfills) was acquired by a Chinese company that started injecting malicious JavaScript into their files. Over 100,000 websites serving the polyfill.io script were instantly compromised. SRI would have blocked the altered files.

How to Prevent It

  • Add integrity and crossorigin attributes to all CDN-hosted scripts and stylesheets
  • Generate SRI hashes at srihash.org or using openssl dgst -sha256
  • Pin to exact versions on CDNs (not @latest) so the hash stays valid
  • Better yet: bundle dependencies yourself and avoid public CDNs for critical scripts

Affected Technologies

ReactNext.jsjavascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

DOM-Based XSS

high

Malicious scripts executed by reading attacker-controlled data from the URL or browser APIs and writing it to the DOM using dangerous sinks like innerHTML or document.write.

CWE-79A03:2021

Stored XSS

high

User-supplied content saved to the database without sanitization and rendered in the browser as HTML, allowing persistent script injection that executes for every user who views the content.

CWE-79A03:2021

PostMessage Without Origin Verification

medium

window.addEventListener('message') handlers that process messages without checking the event.origin, allowing any website to send commands to your app's message handler.

CWE-346A01:2021

Advanced Clickjacking

medium

Absence of both X-Frame-Options and CSP frame-ancestors headers, combined with no client-side frame-busting logic, leaving the app fully embeddable in malicious iframes.

CWE-1021A05:2021