Adobe Experience Manager Sites & More

surenk · 1/3/23

jQuery 1.12.4 has security vulnerabilities (listed below). Are there any plans to upgrade jQuery on AEM 6.5 to the latest jQuery 3.6.x ?

Although, we do see a custom jQuery v1.12.4-aem , did Adobe fix some of the vulnerabilities?

As of now, even on AEM 6.5.14, comes with jQuery 1.12.4

The docs for 6.5.0 states https://experienceleague.adobe.com/docs/experience-manager-65/release-notes/service-pack/ga.html?lan...

CAUTION
AEM includes version 1.12.4 of the jQuery library to provide maximum compatibility with existing custom code. Modifications have been done by Adobe to address known security issues.

Vunerabilities in jQuery 1.12.4

1. In jQuery prior to version 3.0.0 is vulnerable to Cross-Site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

2. In jQuery prior to version 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery. extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

3. In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

SureshDhulipudi · 1/3/23

you can upgrade to latest jQuery version in your site /vendor / * folders

please see below thread for more details

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/pen-test-vulnerabilities-f...

aanchal-sikka · 1/3/23

One can always use the latest version of jquery for the sites.

The one provided with AEM is used in AEM with Touch UI. It might be older than latest available jquery versions.

Aanchal Sikka

nitesh_kumar · 1/4/23

Hi @surenk ,

As the product code is dependent on the older version of Jquery it is being shipped with it, however, from time to time the vulnerabilities reported are fixed by engineering and shipped with the product. The version you see jQuery v1.12.4-aem is one of those that have been modified.

If you still see those vulnerabilities or new ones, that needs to be reported to engineering through a support ticket which can be addressed by them.
If you have to use the specific version for your project needs, you can override it as others have suggested.

Hope this helps!

Regards,

Nitesh

Cyberbot · 4/13/23

Hello. Surenk did ask a closed-ended question that was not addressed: "did Adobe fix some of the (jQuery v1.12.4) vulnerabilities?" Can you provide an answer to this question by either answering: "Yes", "No", or "I/We don't know". Otherwise, your response isn't really assisting much in risk assessment of the product. Thanks, in advance, for your time.

nishiarya · 7/30/24

DAST Scan flagging Vulnerable JS Library issue for jquery v1.12.4-aem. I tried override jquery v1.12.4 but that's impacting aem component like header menu. No other choice we found so have to keep the default vulnerable version v1.12.4-aem of jquery used by aem_6.5.19. Hope Adobe will look into it soon and replace with non vulnerable jquery library. Issue is still open since long.

dsfqe · 8/17/24

Question is , can we use an off the shelf updated jQuery or we must use v1.12.4? ,
and if YES , any suggested version to use ?

Adobe Experience Manager Sites & More

AEM 6.5 uses jQuery 1.12.4 that has vulnerabilities. Will it be upgraded to 3.6 ?

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe