Menu
We need to get jQuery supported version for security reasons. Is there anything like End of Support for jQuery versions similar to End of Life/Supported Versions in PHP(https://www.php.net/supported-versions.php) for security concern.
Appropriate if any one can help this.
Thank you.
Regard, Nuwan
402
jQuery 1. x and 2. x are indeed EOL, but that doesn't mean that they have any very serious known security issues.
Reasons to Migrate to jQuery 3.5 or Newer Upgrading to the latest version of jQuery makes your app more secure by fixing all XSS (cross site scripting attacks) related vulnerabilities as well as vulnerabilities created by native object prototypes.
jQuery seems to be nicely backward compatible. I have been using it for more than a couple of years now through several versions of the core and have not had issues when upgrading except a few minor ones with some plugins.
The installed version of jQuery on the remote host has reached the End of Life (EOL) and should not be used anymore. An EOL version of jQuery is not receiving any security updates from the vendor. Unfixed security vulnerabilities might be leveraged by an attacker to compromise the security of this host.
Using the latest version of jQuery will give you more features, and more support in case you want to raise an issue or bug, but it's not essential from a security standpoint, in most cases. (for example, Stack Overflow uses jQuery 1.12.4, and many other sites still use jQuery 1 as well) Show activity on this post.
Secondly, jQuery is still good for certain things, such as rapid prototyping and even animation if you aren't good with CSS. jQuery may be outdated but jQuery is not dead.
Using JQuery 1.x or 2.x is a security risk for Cross Site Scripting. It also demonstrates a lack of code review and code maintenance for the developing team. In today's security landscape, this is no longer acceptable, using end of life, out of support code. Minimum versions of JQuery as of 2021-12-06:
jQuery 1.x and 2.x are indeed EOL, but that doesn't mean that they have any very serious known security issues.
There are some problems that can arise in somewhat unusual situations, but as a maintainer of jQuery said:
We don't give any guarantees for jQuery 1.x/2.x - they're officially unsupported - but if a serious vulnerability was detected we might reconsider a patch.
Using the latest version of jQuery will give you more features, and more support in case you want to raise an issue or bug, but it's not essential from a security standpoint, in most cases. (for example, Stack Overflow uses jQuery 1.12.4, and many other sites still use jQuery 1 as well)
110
Using JQuery 1.x or 2.x is a security risk for Cross Site Scripting. It also demonstrates a lack of code review and code maintenance for the developing team. In today's security landscape, this is no longer acceptable, using end of life, out of support code.
Minimum versions of JQuery as of 2021-12-06:
JQuery 3.6.x or better
JQuery-UI 1.13.x or better
CVE's
CVE-2020-11023 6.9 https://nvd.nist.gov/vuln/detail/CVE-2020-11023
CVE-2020-11022 6.9 https://nvd.nist.gov/vuln/detail/CVE-2020-11022
CVE-2015-9251 6.1 https://nvd.nist.gov/vuln/detail/CVE-2015-9251
CVE-2020-11023 CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-11022 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2015-9251 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
https://cwe.mitre.org/data/definitions/829.html
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
