NT Analyzer adds JavaScript file analysis feature

In addition to NT Analyzer recently adding API mapping to its complement of services, we have also incorporated JavaScript file analysis targeting those JavaScript files that are downloaded to a user’s browser from third-party remote hosts while navigating a company’s website.

Third-party JavaScript can obtain deep access to a user’s browsing experience, including data that a user enters into forms as well as a user’s interaction with various page features. Privacy and security analysis of third-party JavaScript plays an important role in the context of privacy risk assessments, website audits, and other privacy reviews.

JavaScript file analysis helps to shed significant light on the following topics:

1. Latent Data Disclosure Risks
   • JavaScript may cause third parties to only collect personal data in some scenarios and not others, thereby introducing a latent risk of data transmission. JavaScript file analysis is the best way to expose these latent risks.
2. Unauthorized or Unnecessary Data Collection
   • JavaScript often powers services or features provided by third-parties, such as analytics providers, social media widgets, ad delivery, etc.
   • JavaScript file analysis can highlight scripts that collect user data beyond what is needed or legally permitted. This is a powerful way to identify verbose data collection and enforce data minimization.
3. Compliance with Cookie Consent and Tracking Requirements
   • Many privacy regulations govern how cookies are set and how user tracking is managed. JavaScript file analysis may identify scripts that are setting cookies or using technologies like localStorage contrary to user choice.
4. Assessing Security Measures and Vulnerabilities
   • Analysis can reveal potential injection points in code where malicious inputs could leak or compromise data.
   • Tools can flag insecure or outdated functions, libraries, or APIs that might open the door to security breaches.
   • For instance, if a script directly manipulates the DOM with unescaped user input, that could lead to cross-site scripting (XSS), a serious security issue.
5. Version and Dependency Audits
   • As part of an overall privacy and security strategy, analyzing JavaScript dependencies ensures the libraries you are using are actively maintained and do not have known security vulnerabilities.
6. Overcollection of Personal Data by Logging and Error Reporting Functions
   • JavaScript logging or error reporting services (e.g., Sentry) often gather user session data. Analysis can verify that these services only collect anonymized or necessary information.
   • This helps prevent unintended logging of sensitive information in your monitoring tools.
7. Documentation and Reporting
   • Detailed automated reports from static JavaScript file analysis plays an important role in demonstrating due diligence and documenting compliance with privacy laws.

By incorporating JavaScript file analysis into your development and audit workflows, you gain visibility into all data-related operations in your code. This helps companies remain compliant with privacy regulations, protects your users’ data, and reduces the risk of breaches or misuse.

For more information, please contact Steven Roosa steven.roosa@nortonrosefulbright.com, Phil Hodgkins philip.hodgkins@nortonrosefulbright.com, or Wenda Tang wenda.tang@nortonrosefulbright.com.