Why Is the Browser the Most Vulnerable App? 

by Talon Research
March 31st, 2022

Executive summary 

  • With 2,346 common vulnerabilities and exposures (CVEs), the browser is the most vulnerable application and the second most vulnerable software (inclusive of operating systems) over the course of internet history. 
  • More than 9% of all browser extensions are considered as high risk or very high risk. 
  • Chrome in 2021: 
    • As the most popular—and vulnerable—browser, with 308 CVEs it was also the most vulnerable application. 
    • 24% of zero-days in the wild were related to Chrome.
    • With respect to the Common Vulnerability Scoring System (CVSS), Chrome CVEs are riskier (6.4) than the average of all other CVEs (6). 

Background 

You’ve probably heard that the browser is the most vulnerable application many times. Perhaps you’ve wondered why it gets such a bad rep. In this post, we prove this statement and back it up with some facts that we have collected. Join us on a journey about browsers, vulnerabilities, and the numbers relating to them all. 

The browser in numbers 

CVE Details reports that all four leading browsers rank in the top 25 with respect to CVEs; Chrome came in 9th with 2,346, Firefox 13th with 1,933), Internet Explorer 24th with 1,168, and Safari placing 25th with 1,136. (Debuting in 2015, Microsoft Edge has 250 CVEs to date, thus it isn’t in the top 25.) 

20,142 CVEs were published for all existing software products in 2021. About 2.5% were related to browsers. Chrome had 308, Firefox 122, Edge 26, and Safari had 33. 

As the most popular browser (62.7% of browser users), it’s evident why Chrome ranked highest in the CVE Details list. The more users an OS or app has, the more threat actors try to break it. So here we focus on Chrome, but the data is likely similar for the other browsers. 

Compared to other top 10 vulnerable products, Chrome has the second-highest weighted average with 6.7 (matching that of the Android and iPhone OSes): 

2021 Chrome statistics 

  • The weighted average CVSS (ver. 3.x) for all vulnerabilities in 2021 was 6: 
  • Singling out Chrome, it had an average of 6.4: 
  • Google’s Project Zero research unit tracks zero-day exploitations. Looking at all 57 zero-days found in 2021, the number of related Chrome vulnerabilities exploited in the wild reached 14 (blue bar) from a total of 24.5% (Project Zero does not track the Edge browser.) 
  • VulDB.com shows that in comparison to the past 14 years, 2021 had the second-highest number of vulnerabilities—365 CVEs in total. Only 2013 was worse security-wise, with a mere 378 CVEs occurring that year: 
Source: vuldb.com; Note: 2022 details are incomplete

Extensions pose added risk 

Beyond the documented Chrome CVEs, the browser has over 180,000 extensions, with 150,000 available in the web store. Malicious extensions threaten the browser; cybersecurity enterprises discover and report them to Google for removal. These are not listed (or counted) as Chrome vulnerabilities, but yet pose huge potential damage for enterprises. 

Chrome-Stats has identified 16,143 extensions as being in its high risk category, with 111 presenting very high risk. This means 9% of extensions are suspected as being unsafe for use. 

Summary 

As we’ve shown, the browser is indeed the most vulnerable application. Not only does it carry a large number of vulnerabilities, but also risky ones. Extensions add extra risk to the browser, with many considered very dangerous. Moreover, browser CVEs are related to the most dangerous software weaknesses. 

It’s crucial to make sure you’re working in the safest browser, that you keep it up to date, and remain aware of the damage that can be caused by using one that is insecure. Talon has created the first enterprise browser specifically developed to implement the highest levels of cybersecurity for a modern, distributed workforce—all while reducing complexity and cost.

Be the first to know.