Steps to Reproduce
Google’s security team reported this Medium-level security vulnerability. The vulnerability allows 3rd party arguments to $.get() to auto-execute if the content type is text/javascript.
In practical terms, applications that use $.get() are vulnerable if they query an untrusted/compromised website.
Addressing the Issue
Successful exploitation of this vulnerability may allow attackers to obtain sensitive information, steal cookies and/or execute Javascript or HTML code. Clients using jQuery prior to 3.0.0 should upgrade immediately to this version (the fix was never applied to the 2.x branch).
Learning and Prevention
One way cross-site Scripting (XSS) vulnerabilities are expressed is by visiting compromised websites. In this case, the $.get() command is used to visit a site that has code intended to gain access to data or protected subsystems. The browser unknowingly executes the malicious code.
Although it’s important when using $.get() to ensure that the target site is a known, safe entity, this is not always possible. Thus, escaping the content obtained from the target site is the customary method to guard against this exploit (“escaping” is a form of data sanitization). The process of escaping the content converts the code into something that can’t be executed, thereby rendering the payload safe.
Conclusion
Obtain the latest version of jQuery with the fix applied by being a customer of the HeroDevs jQuery NES service. Customers get immediate notification and are able to easily update their systems. Contact HeroDevs to get Never-Ending support for jQuery today.
Resources
NIST CVE-2015-9251 entry