Use of Jquery 1.10 with Known Vulnerability

magento.stackexchange https://magento.stackexchange.com/questions/311755

  •  13-04-2021
  •  | 
  •  

Question

We launched a website 2 weeks ago and our client launch a pen test to check if everything was safe. Unfortunately It looks that we have two issues because of :

  • Vulnerable javascript library: jQuery.ui.dialog : version: 1.10.4 script uri: //static/version1586970304/frontend/Sm/market/fr_BE/jquery/patches/jquery-ui.js
  • Vulnerable javascript library: jQuery version: 1.12.4 script uri: //static/version1586970304/frontend/Sm/market/fr_BE/jquery.js

Is it real breach? Can we do something to solve it? I'm a bit afraid of updating the library since it will ask a lot of work.

Many thanks for your help! Regards

Was it helpful?

Solution

The jquery issue is fixed with a simple patch

https://github.com/jquery/jquery/issues/2432#issuecomment-403761229

It sounds severe but really is a minor issue

https://www.cadence-labs.com/2018/07/magento-outdated-jquery-version-how-to-patch-without-upgrading-cve-2015-9251/

// auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
    if ( s.crossDomain ) {
        s.contents.script = false;
    }
});

You can then run the snippet of code with the xss check:

jQuery.get('https://sakurity.com/jqueryxss');

If you’ve correctly implemented the patch, you should no longer see a popup.

Not sure about the jQuery.ui.dialog part

Should be safe to upgrade that

Magento team dont seen too concerned

https://github.com/magento/magento2/issues/14238

Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top