Hi folks,
Our PEN testers are saying there are 2 new Medium vulnerabilities in the 1.12.4 version of JQuery .
https://snyk.io/test/npm/jquery/1.12.4
Does the service pack 6 or 7 contain a patched version of JQuery that include fixes for all of the latest vulnerabilities ?
BTW. Are we allowed to change the version of jquery ourselves ? I always thought we weren't allowed to change it but I have seen tutorials explaining how to do it.
https://aem4beginner.blogspot.com/overriding-jquery-version-in-cq
I'm a bit puzzled. Anybody know the answer ?
thanks
Fiona
Solved! Go to Solution.
Views
Replies
Total Likes
Definitely, While the AEM platform uses the cq.jquery client library for internal use. For your company's website, you can totally define your own jquery library which contains the latest version of jquery. You can place the "VENDOR" client library under /apps/my-site/clientlibs/vendor/*. A standard practice is to place and export 3rd party JavaScript libraries in an AEM project that will be from the vendor folder as a client library.
Example:
Next, you can set your clientlib-site with the jquery.3.1.1 as a dependency
Definitely, While the AEM platform uses the cq.jquery client library for internal use. For your company's website, you can totally define your own jquery library which contains the latest version of jquery. You can place the "VENDOR" client library under /apps/my-site/clientlibs/vendor/*. A standard practice is to place and export 3rd party JavaScript libraries in an AEM project that will be from the vendor folder as a client library.
Example:
Next, you can set your clientlib-site with the jquery.3.1.1 as a dependency
Views
Replies
Total Likes
Views
Replies
Total Likes
Hmmmm... I still get old granite jquery on my publish page (as well as the 3.5.1 I added to my clientlibs) , not sure where that old one is coming from. The guy in the blog above suggests that you can replace the granite jquery (if you test plenty afterwards). What do you think of that idea.? thanks Fiona
Thanks Brian, FYI Below is a screenshot of the blog. Also I am showing the bunch of scripts that gets pulled into every page. I had a look at some of it and it is CQ Day stuff to do with "picturefill" and utility functions for Adobe Forms that we also use. They must pull in the granite jquery. thanks Fiona.
<link rel="stylesheet" href="/etc.clientlibs/foundation/clientlibs/main.min.<hash>.css" type="text/css"> <script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery.min.<hash>.js"></script> <script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/utils.min.<hash>.js"></script> <script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery/granite.min.<hash>.js"></script> <script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/jquery.min.<has>.js"></script> <script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/shared.min....js"></script> <script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/main.min...js"></script>
Views
Replies
Total Likes
Views
Replies
Total Likes
Hi @BrianKasingli ,
In my project also security team has reported similar vulnerability issue with 1.12.4 version of JQuery and they have mentioned the file location /etc.clientlibs/clientlibs/granite/jquery.js .
But if we take a closure look into CRXDE ,then we could see actual file location is /libs/clientlibs/granite/jquery/source/1.12.4/jquery-1.12.4.js as shown below -
I feel in this case it would be better to raise Adobe support ticket to highlight the issue instead of overlaying and upgrade the jquery version as /libs/clientlibs/granite/jquery comes under/libs/clientlibs/granite [granite:InternalArea]. Please correct my understanding here.
@kautuk_sahni , Please suggest and correct my understanding. I am using AEM 6.5.10.
Views
Replies
Total Likes
Hi @DEBAL_DAS, @All
Did you find any fix or solution to this issue.
Please share if you have any suggestion to resolve the issue.
I appreciate your help. Thanks
Views
Replies
Total Likes
any update on this? We have the same issue in our project.
Views
Replies
Total Likes
Hi all,
Please confirm how this was actioned since we are in the same boat on AEM 6.5.9.0?
CVEs were reported on the version of Jquery used and while we are looking into upgrading it or overriding it ,wanted to know how anyone of you solved recently since the accepted response is a bit dated.Any service packs need to be installed or custom override is the way to go?
Appreciate responses on how it was mitigated?
Thanks in advance!
Views
Replies
Total Likes
@kartheekd203042 , Adobe Support confirmed us they've already add the fixes for these issues in their product.
Views
Replies
Total Likes