Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there anything like End of Support for jQuery versions similar to End of Life/Supported Versions for security concern

Tags:

jquery

We need to get jQuery supported version for security reasons. Is there anything like End of Support for jQuery versions similar to End of Life/Supported Versions in PHP(https://www.php.net/supported-versions.php) for security concern.

Appropriate if any one can help this.

Thank you.

Regard, Nuwan

like image 402
Nuwan Fernando Avatar asked Feb 25 '20 07:02

Nuwan Fernando


People also ask

Is jQuery end of life?

jQuery 1. x and 2. x are indeed EOL, but that doesn't mean that they have any very serious known security issues.

Which jQuery version is secure?

Reasons to Migrate to jQuery 3.5 or Newer Upgrading to the latest version of jQuery makes your app more secure by fixing all XSS (cross site scripting attacks) related vulnerabilities as well as vulnerabilities created by native object prototypes.

Is jQuery 3.6 backwards compatible?

jQuery seems to be nicely backward compatible. I have been using it for more than a couple of years now through several versions of the core and have not had issues when upgrading except a few minor ones with some plugins.

What is the end of Life (EoL) of jQuery?

The installed version of jQuery on the remote host has reached the End of Life (EOL) and should not be used anymore. An EOL version of jQuery is not receiving any security updates from the vendor. Unfixed security vulnerabilities might be leveraged by an attacker to compromise the security of this host.

Should I use the latest version of jQuery?

Using the latest version of jQuery will give you more features, and more support in case you want to raise an issue or bug, but it's not essential from a security standpoint, in most cases. (for example, Stack Overflow uses jQuery 1.12.4, and many other sites still use jQuery 1 as well) Show activity on this post.

Is jQuery still good?

Secondly, jQuery is still good for certain things, such as rapid prototyping and even animation if you aren't good with CSS. jQuery may be outdated but jQuery is not dead.

Is jQuery a security risk for cross site scripting?

Using JQuery 1.x or 2.x is a security risk for Cross Site Scripting. It also demonstrates a lack of code review and code maintenance for the developing team. In today's security landscape, this is no longer acceptable, using end of life, out of support code. Minimum versions of JQuery as of 2021-12-06:


2 Answers

jQuery 1.x and 2.x are indeed EOL, but that doesn't mean that they have any very serious known security issues.

There are some problems that can arise in somewhat unusual situations, but as a maintainer of jQuery said:

We don't give any guarantees for jQuery 1.x/2.x - they're officially unsupported - but if a serious vulnerability was detected we might reconsider a patch.

Using the latest version of jQuery will give you more features, and more support in case you want to raise an issue or bug, but it's not essential from a security standpoint, in most cases. (for example, Stack Overflow uses jQuery 1.12.4, and many other sites still use jQuery 1 as well)

like image 110
CertainPerformance Avatar answered Oct 10 '22 23:10

CertainPerformance


Using JQuery 1.x or 2.x is a security risk for Cross Site Scripting. It also demonstrates a lack of code review and code maintenance for the developing team. In today's security landscape, this is no longer acceptable, using end of life, out of support code.

Minimum versions of JQuery as of 2021-12-06:

JQuery 3.6.x or better

JQuery-UI 1.13.x or better

CVE's

  • CVE-2020-11023 6.9 https://nvd.nist.gov/vuln/detail/CVE-2020-11023

  • CVE-2020-11022 6.9 https://nvd.nist.gov/vuln/detail/CVE-2020-11022

  • CVE-2015-9251 6.1 https://nvd.nist.gov/vuln/detail/CVE-2015-9251

  • CVE-2020-11023 CWE-79
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2020-11022 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CVE-2015-9251 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

https://cwe.mitre.org/data/definitions/829.html

like image 34
Kat Amsterdam Avatar answered Oct 10 '22 23:10

Kat Amsterdam