none
Migration of jQuery 1.6.3 to 3.3.1. RRS feed

  • Question

  • Team,

    We recently did a pen test for our applications and in one of the application a vulnerability was raised - "Outdated software may contain known vulnerabilities."

    Now, my question

    1) Does jQuery 1.6.3 has security issues ? 

    2) Is 3.3.1 foolproof for security hacks ?

    Thanks,

    Prasenna

    Tuesday, June 19, 2018 6:02 AM

All replies

  • Hi Prasenna,

    We recently did a pen test for our applications and in one of the application a vulnerability was raised - "Outdated software may contain known vulnerabilities."

    Does that message have "Message from webpage" in the title bar?

    You should ask the website developers who put the Warning message on their site. The weakest security link on any network/web application is the NUT that holds the keyboard. In terms of IE11 and other web browsers, the number 1 security/privacy risk from outdated software is the continued use of browser plugins/Active X controls (Flash, Quiktime, WMP, Java JRT etc)

    Your testing cycle should include running browsers in noAddons mode and disabling common browser plugins/activex controls. Additionally IE uses security zones and has an "ActiveX filtering" and "Tracking Protection" feature built-in. Also IE has 'Security zones'... outcomes in IE will depend on which IE security zone a client has mapped the Host to. Use the file>Properties menu to determine which IE security zone your test/dev/production host is mapped to. For legacy intranet sites, your company should be using Enterprise Site Mode lists to handle backward compatibility. Use the f12>Emulation tab to confirm the Emulation mode that is being used and how it is established. eg. IE8 enterprise - Enterprise site mode lists, IE5 - "Display intranet sites in compatibility view"

    ans:

    1. It depends on what content your website has. forums.jquery.com

    2. It depends on the content of your website and the browser platform of the client.

    Regards.

    Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions.


    Rob^_^

    Tuesday, June 19, 2018 9:08 PM
  • Thanks for your suggestion on IE settings Rob, shall look into those!

    *\ Does that message have "Message from webpage" in the title bar? \* - This message was given to us by the pen test organization in their report - "Outdated software may contain known vulnerabilities."

    We had actually migrated jQuery to 3.3.1 and this has opened up the pandora box. 

    Below are some of the issues,

    Issue 1 :

    Prior migration with jQuery 1.6.3 – In a web page, a user can select only one checkbox, when the user selects another check-box, already checked-one will be unchecked
    After migration to jQuery 3.3.1 – In a web page, a user is able to select multiple items in the checkbox. See below image. Across browsers (IE, Edge, Chrome, Firefox) we are experiencing this. 

    Issue 2 : 

    Prior migration with jQuery 1.6.3 – Generate Report hyperlink was enabled in Firefox to view the reports. 
    After migration to jQuery 3.3.1 – Generate Report hyperlink is disabled in Firefox to view the reports. 

    One of the suggestion from our peers is to keep the jQuery as that is not extensively used in the application which is why I had raised the question. 
    Tuesday, June 19, 2018 11:35 PM
  • Hi,

    you will have to get your programmers to debug your websites/intranet sites for you. It sounds like you are using asp.net or other server side framework that uses UserAgent sniffing and or you are using jquery.browser to version sniff the client UserAgent string.... jquery.browser is depreciated. Your programmers need to use feature testing instead.

    Use the f12>emulation tab to determine what Emulation mode has been applied and how. Your company by now should be using IE Enterprise Site mode lists to manage backward compatibility of legacy intranet sites.

    Use the debug tab to debug your scripts or search for the jquery browser or navigator.userAgent object(s) in your code.

    Regards.

    Questions regarding Internet Explorer 8, 9 and 10 and Internet Explorer 11 for the IT Pro Audience. Topics covered are: Installation, Deployment, Configuration, Security, Group Policy, Management questions.


    Rob^_^

    Saturday, June 23, 2018 6:59 AM