PEN test vulnerabilities for jquery used by AEM

Avatar

Avatar

fionas76543059

Avatar

fionas76543059

fionas76543059

19-02-2021

 

Hi folks,

 

Our PEN testers are saying there are  2 new Medium vulnerabilities in the 1.12.4 version of JQuery .

https://snyk.io/test/npm/jquery/1.12.4

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Does the service pack 6 or 7 contain a patched version of JQuery that include fixes for all of the latest vulnerabilities ? 

BTW.  Are we allowed to change the version of jquery ourselves ?  I always thought we weren't allowed to change it but I have seen tutorials explaining how to do it.

https://aem4beginner.blogspot.com/overriding-jquery-version-in-cq

 

I'm a bit puzzled. Anybody know the answer ?

 

thanks

Fiona

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

BrianKasingli

MVP

Avatar

BrianKasingli

MVP

BrianKasingli
MVP

19-02-2021

@fionas76543059,

Definitely, While the AEM platform uses the cq.jquery client library for internal use. For your company's website, you can totally define your own jquery library which contains the latest version of jquery. You can place the "VENDOR" client library under /apps/my-site/clientlibs/vendor/*. A standard practice is to place and export 3rd party JavaScript libraries in an AEM project that will be from the vendor folder as a client library.

Example:

BrianKasingli_0-1613747560534.png

 

 

Next, you can set your clientlib-site with the jquery.3.1.1 as a dependency

BrianKasingli_2-1613747481087.png

 

Answers (0)