"Internal (granite:InternalArea) - Defines a node as internal. Nodes classified as internal cannot be overlaid, inherited, or used directly. These nodes are meant only for internal functionality of AEM"
So we are dependent on Adobe releasing a patched version of the jQuery clientlib, with a fix for the jQuery.extend method.
We are going to override the method in our own scripts to get around the issue, but we are hoping there is a CFP or Service Pack with an update to the jQuery client library.
Unlikely yet. But please feel free to log a Daycare ticket.
AEM doesn't use a single version of jQuery unfortunately, everything seems to bundle up it's own version so there are several versions throughout the product. In AEM 6.4.4 (via GRANITE-19902) jQuery for ContextHub was brought up to 3.2.1 from 1.11.0 !! .
So in 6.4.4 it should be jquery 3.2.1 in most of the product.
So if CVE-2019-11358 affects 3.4.0 and earlier, then AEM is likely susceptible to this vector at this time.