Hi folks,
Our PEN testers are saying there are 2 new Medium vulnerabilities in the 1.12.4 version of JQuery .
https://snyk.io/test/npm/jquery/1.12.4
Does the service pack 6 or 7 contain a patched version of JQuery that include fixes for all of the latest vulnerabilities ?
BTW. Are we allowed to change the version of jquery ourselves ? I always thought we weren't allowed to change it but I have seen tutorials explaining how to do it.
https://aem4beginner.blogspot.com/overriding-jquery-version-in-cq
I'm a bit puzzled. Anybody know the answer ?
thanks
Fiona
Solved! Go to Solution.
Views
Replies
Total Likes
Definitely, While the AEM platform uses the cq.jquery client library for internal use. For your company's website, you can totally define your own jquery library which contains the latest version of jquery. You can place the "VENDOR" client library under /apps/my-site/clientlibs/vendor/*. A standard practice is to place and export 3rd party JavaScript libraries in an AEM project that will be from the vendor folder as a client library.
Example:
Next, you can set your clientlib-site with the jquery.3.1.1 as a dependency
Definitely, While the AEM platform uses the cq.jquery client library for internal use. For your company's website, you can totally define your own jquery library which contains the latest version of jquery. You can place the "VENDOR" client library under /apps/my-site/clientlibs/vendor/*. A standard practice is to place and export 3rd party JavaScript libraries in an AEM project that will be from the vendor folder as a client library.
Example:
Next, you can set your clientlib-site with the jquery.3.1.1 as a dependency
Views
Replies
Total Likes
Views
Replies
Total Likes
Hmmmm... I still get old granite jquery on my publish page (as well as the 3.5.1 I added to my clientlibs) , not sure where that old one is coming from. The guy in the blog above suggests that you can replace the granite jquery (if you test plenty afterwards). What do you think of that idea.? thanks Fiona
Thanks Brian, FYI Below is a screenshot of the blog. Also I am showing the bunch of scripts that gets pulled into every page. I had a look at some of it and it is CQ Day stuff to do with "picturefill" and utility functions for Adobe Forms that we also use. They must pull in the granite jquery. thanks Fiona.
<link rel="stylesheet" href="/etc.clientlibs/foundation/clientlibs/main.min.<hash>.css" type="text/css"> <script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery.min.<hash>.js"></script> <script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/utils.min.<hash>.js"></script> <script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery/granite.min.<hash>.js"></script> <script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/jquery.min.<has>.js"></script> <script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/shared.min....js"></script> <script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/main.min...js"></script>
Views
Replies
Total Likes
Views
Replies
Total Likes
Hi @BrianKasingli ,
In my project also security team has reported similar vulnerability issue with 1.12.4 version of JQuery and they have mentioned the file location /etc.clientlibs/clientlibs/granite/jquery.js .
But if we take a closure look into CRXDE ,then we could see actual file location is /libs/clientlibs/granite/jquery/source/1.12.4/jquery-1.12.4.js as shown below -
I feel in this case it would be better to raise Adobe support ticket to highlight the issue instead of overlaying and upgrade the jquery version as /libs/clientlibs/granite/jquery comes under/libs/clientlibs/granite [granite:InternalArea]. Please correct my understanding here.
@kautuk_sahni , Please suggest and correct my understanding. I am using AEM 6.5.10.
Views
Replies
Total Likes
Hi @DEBAL_DAS, @All
Did you find any fix or solution to this issue.
Please share if you have any suggestion to resolve the issue.
I appreciate your help. Thanks
Views
Replies
Total Likes
any update on this? We have the same issue in our project.
Views
Replies
Total Likes
Hi all,
Please confirm how this was actioned since we are in the same boat on AEM 6.5.9.0?
CVEs were reported on the version of Jquery used and while we are looking into upgrading it or overriding it ,wanted to know how anyone of you solved recently since the accepted response is a bit dated.Any service packs need to be installed or custom override is the way to go?
Appreciate responses on how it was mitigated?
Thanks in advance!
Views
Replies
Total Likes
@kartheekd203042 , Adobe Support confirmed us they've already add the fixes for these issues in their product.
Views
Replies
Total Likes
Old post, but people still have the same question, and the "solution" doesn't really solve the problem.
First though, the OOTB version of jQuery is an updated version of v1.12.4 it already contains fixes for the known vulnerabilities. So if you are looking to update jQuery simply to pass a security scan, then you should read this:
https://docs.mktossl.com/docs/experience-cloud-kcs/kbarticles/KA-21173.html
If you still want to use a newer version of jQuery, then the solution is simple.
Create your own clientlib that contains the version of jQuery that you want.
Set the 'categories' property of your clientlib to be "jquery".
Set the 'replaces' property of your clientlib to be "/libs/clientlibs/granite/jquery".
The key point is to set the 'replaces' property, otherwise you'll end up loading both the OOTB code and your own version.
Views
Replies
Total Likes
Adobe says this about this jQuery version; "AEM includes version 1.12.4 of the jQuery library to provide maximum compatibility with existing custom code. Modifications have been done by Adobe to address known security issues."
Ref: General Release Notes for Adobe Experience Manager 6.5 | Adobe Experience Manager
Views
Replies
Total Likes
After testing all the approaches mentioned here, I wonder why there are no more disussion, nothing that really concludes the issue is menioned here.
Yes, the answer marked as correct helps to use a different version, however, during edition mode, the jquery version used is the default one otherwise (when forcing to use a different version, for instance version 4) the component dialog will not open.
So, being that the link mentioned here from official docs for aem 6.5 indicates that the version used contains fixes to vulnerabilities for that default jquery version used as default should make us use that version without being worried about it?
@DEBAL_DAS did you solve the issue so the security team was satisfied? did you raise a ticket with adobe?
As usual broken links like this one:
https://helpx.adobe.com/in/experience-manager/kb/resolve-jquery-library-conflicts-aem6.html
are refered in other pages like https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/jquery-conflict-in-aem-6-4...
were you guys able to fix the issue? you care only about the publish view? not the editor ?
Thanks
Views
Replies
Total Likes