We have a HTML file with a minified JSlibrary pasted inside with the license header and version number.
Our client reported that it's a security risk (https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration) because the version number of the library is exposed.
If we use an external JS file and just link to the file from the HTML using tag, will the issue still be reported?
If we use an external JS file and just link to the file from the HTML using tag, will the issue still be reported?
It depends (it always does). When you would do it the way as described below, it most likely will:
<script src="https://external.party.com/mylibrary.js"></script>
The reason is you have no control over the library that is loaded in your website. If the remote host somehow get compromised, malicious code could be injected in the user's browser.
There are two options to prevent this issue:
Serve the library locally
Download the library from the external website and load it from your own web server. Make sure that the downloaded library is considered secure (use the latest stable version)
Subresource Integrity
Subresource Integrity (SRI) ensure that resources hosted on third-party servers have not been tampered with. This is done by generating a hash value of the remote library.
The image above is how you should use the generated hash from the HTML code. If this is the route you want to take, please have a look at Mozilla's web site for further information on how to generate the hash and how to configure the content security policy.
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
