JS Library CVE Scanner

Last updated:

Scans every script loaded on any webpage, fingerprints JavaScript libraries and their exact versions, and cross-references against a bundled database of known CVEs. Identifies jQuery, Angular, React, Lodash, Bootstrap, Moment.js, and 50+ other libraries. Free alternative to Snyk, Retire.js Pro, and commercial SCA tools.

Drag to your bookmarks bar:

⚡ Scan JS Libraries
1
Install — drag the button to your bookmarks bar
2
Visit any website to audit
3
Click — it fingerprints all loaded JS libraries and checks for known vulnerabilities

Runs on any website — all processing in your browser.

Install the bookmarklet, then use it on any website

JS Library CVE Scanner

Outdated JavaScript libraries are one of the most common attack vectors. This tool replicates the functionality of commercial SCA (Software Composition Analysis) tools by fingerprinting loaded libraries via global objects and URL patterns, then checking versions against a curated vulnerability database.

Detection Methods

Libraries are identified through two methods: global object inspection (e.g., jQuery.fn.jquery, _.VERSION) and URL pattern matching against script src attributes. Version comparison uses semantic versioning to determine if a library is below the patched version.

SCA
Software Composition Analysis — scanning third-party dependencies for known vulnerabilities. Commercial tools (Snyk, Mend) charge $50-500/mo for this capability.

⚡ JS Library CVE Scanner — FAQ

How many libraries can it detect?

The scanner includes fingerprints for 20+ major libraries including jQuery, Angular, React, Vue, Lodash, Moment.js, Bootstrap, Handlebars, and more. The CVE database covers the most commonly exploited vulnerabilities in each.

How current is the CVE database?

The bundled database covers major CVEs through early 2026. It focuses on high-impact vulnerabilities with known exploit chains rather than every advisory.

Can it detect minified/bundled libraries?

It detects libraries that expose global objects (most do) and those loaded from CDN URLs with version numbers. Deeply bundled libraries without globals may not be detected.

Is this a replacement for a full SCA tool?

It covers client-side JavaScript libraries visible in the browser. Server-side dependencies, transitive dependencies, and non-JS components require tools like Snyk or npm audit.

Does it scan the source code?

It reads script src URLs and checks global JavaScript objects — it does not decompile or parse minified source code.

🛡️

Security Header Audit

Audit CSP, HSTS, X-Frame-Options on any site.
🍪

Cookie & Tracker Exposer

Audit cookies, trackers, and fingerprinting.
🔒

Repo Security Auditor

Scan repos for exposed secrets.
🔬

Tech Stack Detector

Detect CMS, frameworks, and server software.