jquery

jQuery cross site scripting - What was this


Vulnerability description

This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability. Many sites are using to select elements using location.hash that allows someone to inject script into the page. This problem was fixed in jQuery 1.6.3. This vulnerability affects /js/jquery.js. Discovered by: Scripting (jQuery_Audit.script). Attack details

Pattern found: 
/*!
 * jQuery JavaScript Library v1.3.2
 * http://jquery.com

What was this means?

My website is currently using jQuery JavaScript Library v1.3.2

Is this will get trouble?


Solution

  • Ideally, you should keep your jQuery up to date. However, there are some breaking changes between jQuery versions. 1.7.x started deprecating some event delegations. 2.x started removing support for older browsers.

    For your case, I suggest updating your jQuery library to 1.6.3 as recommended. Then thoroughly test your site to make sure everything still works.

    If 1.6.3 still works, then I suggest updating to 1.7.2. Then thoroughly test your site to make sure everything still works.

    If 1.7.2 still works, then decide if you want to continue supporting older browsers like IE8. If yes, then try updating to 1.11.1. If no, then try updating to 2.1.1. These are the latest versions.

    This may not be an easy thing to do. If you stop at 1.6.3, that is understandable and is fine.