If you look at the bottom of the page of aes.js you pointed at you will find:
Interoperability With OpenSSL
Encrypt with OpenSSL:
openssl enc -aes-256-cbc -in infile -out outfile -pass pass:"Secret Passphrase" -e -base64
Decrypt with CryptoJS:
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js"></script>
<script>
var decrypted = CryptoJS.AES.decrypt(openSSLEncrypted, "Secret Passphrase");
</script>
So aes.js
will use OpenSSL compatible key derivation if you use a passphrase.
Now if you look at the key derivation mechanism performed by OpenSSL, EVP_BytesToKey, you will find this remark:
Newer applications should use more standard algorithms such as PBKDF2 as defined in PKCS#5v2.1 for key derivation.