jQuery 1.12.4 has security vulnerabilities (listed below). Are there any plans to upgrade jQuery on AEM 6.5 to the latest jQuery 3.6.x ?
Although, we do see a custom jQuery v1.12.4-aem , did Adobe fix some of the vulnerabilities?
As of now, even on AEM 6.5.14, comes with jQuery 1.12.4
The docs for 6.5.0 states https://experienceleague.adobe.com/docs/experience-manager-65/release-notes/service-pack/ga.html?lan...
CAUTION
AEM includes version 1.12.4 of the jQuery library to provide maximum compatibility with existing custom code. Modifications have been done by Adobe to address known security issues.
Vunerabilities in jQuery 1.12.4
1. In jQuery prior to version 3.0.0 is vulnerable to Cross-Site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
2. In jQuery prior to version 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery. extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
3. In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Views
Replies
Total Likes
you can upgrade to latest jQuery version in your site /vendor / * folders
please see below thread for more details
One can always use the latest version of jquery for the sites.
The one provided with AEM is used in AEM with Touch UI. It might be older than latest available jquery versions.
Hi @surenk ,
As the product code is dependent on the older version of Jquery it is being shipped with it, however, from time to time the vulnerabilities reported are fixed by engineering and shipped with the product. The version you see jQuery v1.12.4-aem is one of those that have been modified.
Hope this helps!
Regards,
Nitesh
Hello. Surenk did ask a closed-ended question that was not addressed: "did Adobe fix some of the (jQuery v1.12.4) vulnerabilities?" Can you provide an answer to this question by either answering: "Yes", "No", or "I/We don't know". Otherwise, your response isn't really assisting much in risk assessment of the product. Thanks, in advance, for your time.
Views
Likes
Replies
Views
Likes
Replies