Adobe Experience Manager Sites & More

surenk · 1/3/23

jQuery 1.12.4 has security vulnerabilities (listed below). Are there any plans to upgrade jQuery on AEM 6.5 to the latest jQuery 3.6.x ?

Although, we do see a custom jQuery v1.12.4-aem , did Adobe fix some of the vulnerabilities?

As of now, even on AEM 6.5.14, comes with jQuery 1.12.4

The docs for 6.5.0 states https://experienceleague.adobe.com/docs/experience-manager-65/release-notes/service-pack/ga.html?lan...

CAUTION
AEM includes version 1.12.4 of the jQuery library to provide maximum compatibility with existing custom code. Modifications have been done by Adobe to address known security issues.

Vunerabilities in jQuery 1.12.4

1. In jQuery prior to version 3.0.0 is vulnerable to Cross-Site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

2. In jQuery prior to version 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery. extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

3. In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

SureshDhulipudi · 1/3/23

you can upgrade to latest jQuery version in your site /vendor / * folders

please see below thread for more details

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/pen-test-vulnerabilities-f...

aanchal-sikka · 1/3/23

One can always use the latest version of jquery for the sites.

The one provided with AEM is used in AEM with Touch UI. It might be older than latest available jquery versions.

Aanchal Sikka

nitesh_kumar · 1/4/23

Hi @surenk ,

As the product code is dependent on the older version of Jquery it is being shipped with it, however, from time to time the vulnerabilities reported are fixed by engineering and shipped with the product. The version you see jQuery v1.12.4-aem is one of those that have been modified.

If you still see those vulnerabilities or new ones, that needs to be reported to engineering through a support ticket which can be addressed by them.
If you have to use the specific version for your project needs, you can override it as others have suggested.

Hope this helps!

Regards,

Nitesh

Cyberbot · 4/13/23

Hello. Surenk did ask a closed-ended question that was not addressed: "did Adobe fix some of the (jQuery v1.12.4) vulnerabilities?" Can you provide an answer to this question by either answering: "Yes", "No", or "I/We don't know". Otherwise, your response isn't really assisting much in risk assessment of the product. Thanks, in advance, for your time.

Adobe Experience Manager Sites & More

AEM 6.5 uses jQuery 1.12.4 that has vulnerabilities. Will it be upgraded to 3.6 ?

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe