jQuery

What is jQuery?

jQuery is a JavaScript library designed to simplify HTML DOM tree traversal and manipulation, as well as event handling, website animation, and AJAX handling.

It is a free and open-source framework using the permissive MIT License.

As of May 2019, jQuery is used by 73% of the 10 million most popular websites.

jQuery most common vulnerabilities

When using Jquery, how XSS may facilitate two potential vulnerabilities in an application:

  1. Applications making cross-domain requests to untrusted domains may inadvertently execute the script which may otherwise be perceived as safe content.
  2. Requests to trusted API endpoints may be leveraged in XSS attacks if the script can be injected into data sources.

(Test performed by virtuesecurity.com)

Recent jQuery vulnerabilities

  • jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. (in 2019, reported by CVE Details)
  • jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. (in 2018, reported by CVE Details)
  • Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function. (in 2017, reported by CVE Details)
  • jQuery uses jQuery.htmlPrefilter method to ensure that closing tags were XHTML-compliant when passed to methods. Japanese security researcher Masato Kinugawa discovered that this implementation was flawed, as the regex could introduce an XSS vulnerability. (Reported by Joomla)

Javascript and jQuery vulnerability statistics

Frameworks affected by jQuery vulnerabilities

As most common frameworks use jQuery as their Javascript framework. If the jQuery version is not updated, the website maybe vulnerable to attacks such as XSS.