Use of Jquery 1.10 with Known Vulnerability
-
13-04-2021 - |
题
We launched a website 2 weeks ago and our client launch a pen test to check if everything was safe. Unfortunately It looks that we have two issues because of :
- Vulnerable javascript library: jQuery.ui.dialog : version: 1.10.4 script uri: //static/version1586970304/frontend/Sm/market/fr_BE/jquery/patches/jquery-ui.js
- Vulnerable javascript library: jQuery version: 1.12.4 script uri: //static/version1586970304/frontend/Sm/market/fr_BE/jquery.js
Is it real breach? Can we do something to solve it? I'm a bit afraid of updating the library since it will ask a lot of work.
Many thanks for your help! Regards
解决方案
The jquery issue is fixed with a simple patch
https://github.com/jquery/jquery/issues/2432#issuecomment-403761229
It sounds severe but really is a minor issue
// auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
});
You can then run the snippet of code with the xss check:
jQuery.get('https://sakurity.com/jqueryxss');
If you’ve correctly implemented the patch, you should no longer see a popup.
Not sure about the jQuery.ui.dialog part
Should be safe to upgrade that
Magento team dont seen too concerned