Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

PEN test vulnerabilities for jquery used by AEM

fionas76543059
Level 4
Level 4

 

Hi folks,

 

Our PEN testers are saying there are  2 new Medium vulnerabilities in the 1.12.4 version of JQuery .

https://snyk.io/test/npm/jquery/1.12.4

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Does the service pack 6 or 7 contain a patched version of JQuery that include fixes for all of the latest vulnerabilities ? 

BTW.  Are we allowed to change the version of jquery ourselves ?  I always thought we weren't allowed to change it but I have seen tutorials explaining how to do it.

https://aem4beginner.blogspot.com/overriding-jquery-version-in-cq

 

I'm a bit puzzled. Anybody know the answer ?

 

thanks

Fiona

1 Accepted Solution
BrianKasingli
Correct answer by
Community Advisor
Community Advisor

@fionas76543059,

Definitely, While the AEM platform uses the cq.jquery client library for internal use. For your company's website, you can totally define your own jquery library which contains the latest version of jquery. You can place the "VENDOR" client library under /apps/my-site/clientlibs/vendor/*. A standard practice is to place and export 3rd party JavaScript libraries in an AEM project that will be from the vendor folder as a client library.

Example:

BrianKasingli_0-1613747560534.png

 

 

Next, you can set your clientlib-site with the jquery.3.1.1 as a dependency

BrianKasingli_2-1613747481087.png

 

View solution in original post

5 Replies
BrianKasingli
Correct answer by
Community Advisor
Community Advisor

@fionas76543059,

Definitely, While the AEM platform uses the cq.jquery client library for internal use. For your company's website, you can totally define your own jquery library which contains the latest version of jquery. You can place the "VENDOR" client library under /apps/my-site/clientlibs/vendor/*. A standard practice is to place and export 3rd party JavaScript libraries in an AEM project that will be from the vendor folder as a client library.

Example:

BrianKasingli_0-1613747560534.png

 

 

Next, you can set your clientlib-site with the jquery.3.1.1 as a dependency

BrianKasingli_2-1613747481087.png

 

View solution in original post

fionas76543059
Level 4
Level 4
Thanks Brian, Is it the case that the CQ version of jQuery is used only internally in the Author instance then ? So we don't have to worry about it with the published public site.?
BrianKasingli
Community Advisor
Community Advisor
Yes, just make sure you are not referencing to the out of the box cq.jquery client library category in your page template, and instead, reference the jquery.3.1.1 custom category instead. You can view the page as "publish mode" and review the .js files that are being references in the DOM to ensure that the correct client library is being added on the page.
fionas76543059
Level 4
Level 4

Hmmmm... I still get old granite jquery on my publish page (as well as the 3.5.1 I added to my clientlibs) , not sure where that old one is coming from. The guy in the blog above suggests that you can replace the granite jquery (if you test plenty afterwards). What do you think of that idea.? thanks Fiona

 

Thanks Brian, FYI Below is a screenshot of the blog. Also I am showing the bunch of scripts that gets pulled into every page. I had a look at some of it and it is CQ Day stuff to do with "picturefill" and utility functions for Adobe Forms that we also use. They must pull in the granite jquery.  thanks Fiona.

 

    
    
<link rel="stylesheet" href="/etc.clientlibs/foundation/clientlibs/main.min.<hash>.css" type="text/css">
<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery.min.<hash>.js"></script>
<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/utils.min.<hash>.js"></script>
<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery/granite.min.<hash>.js"></script>
<script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/jquery.min.<has>.js"></script>
<script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/shared.min....js"></script>
<script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/main.min...js"></script>

 

question4.png

BrianKasingli
Community Advisor
Community Advisor
fionas, that is a 404 page in the blog you sent above. If your template is calling the right client libraries then the old jquery version should not exist. you will need to investigate and understand all of your client libraries being referenced to the page, and ensure that no body is referencing to the "dependency" set with cq.jquery.