Static analysis for vulnerability detection in JavaScript is an extensively studied research area. However, state-of-the-art approaches ignore bundling, an emerging development practice, akin to compilation, which allows developers to merge code from different providers, while also applying optimizations to reduce code size. A typical bundle heavily reuses single-letter identifiers and extensively relies on dynamic JavaScript features to emulate code dependencies, thus, hindering static analysis.

In this work, we propose a reverse engineering approach that relies on domain-specific code transformations to unpack bundles and replace reidentified libraries with their source code. Our technique applies lightweight static analysis to dissect bundles into individual components, machine learning to identify libraries, and dynamic analysis to verify that libraries were correctly identified. We implement this approach in a tool called D-Bundlr, and evaluate it by comparing the output of CodeQL (a popular static analysis tool) before and after debundling.

For a JavaScript code benchmark with known vulnerabilities, our approach allows CodeQL to recover 89% of the vulnerabilities and 83% of all alerts that were also detected in the source code, but were dormant in bundles. Similarly, for real-world bundles where we can retrieve the source code, D-Bundlr recovered 33% of the original alerts. When applied to bundles extracted from the 100,000 most popular websites, D-Bundlr identifies 34,445 instances corresponding to 63 unique libraries, and causes CodeQL to produce around 3.2K more security alerts than on packed bundles. We additionally illustrate how attackers can exploit some of our zero-day findings, causing unwanted security effects such as advertisement space hijacking.