CVE-2019-11358

Cross-Site Scripting
Affects
jQuery
>=1.1.4 <3.4.0
in
jQuery
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Steps to Reproduce

Versions of jQuery before 3.4.0 contain this Medium level vulnerability, called Prototype Pollution. If an unsanitized source object contains an enumerable __proto_property (enumerable means it can be used in a for...next loop), malicious code has access to the native Object.prototype object. With this access, the attacker can extend this fundamental object in ways that all Javascript objects would inherit, thereby introducing many possible attack vectors. The jQuery 3.4.0 Release blog entry has additional explanation that is worth reading.

Addressing the Issue

Clients should update to jQuery 3.4.0 immediately and always ensure their custom programming sanitizes source objects with the aim of preventing the Prototype Pollution vulnerability.  For clients unable to migrate to jQuery 3, HeroDevs provides Never Ending Support for jQuery 1 and 2 with fixes in place.

Learning and Prevention

In addition to sanitizing objects, there are many practices that help avoid the problem, from using immutable objects to property whitelisting to using Object.create(null) to create an object without a prototype. Note that this list is not exhaustive and jQuery developers should be knowledgeable in safe programming practices to reduce the risk of this sort of exploit.

Conclusion

HeroDevs jQuery Never-Ending Support provides versions of jQuery 1 as well as jQuery 2 with fixes in place to correct the potential security hole described by CVE-2019-11358. To stay apprised of security updates like these, contact us today to become a customer.

Resources

Vulnerability Details
ID
CVE-2019-11358
PROJECT Affected
jQuery
Versions Affected
>=1.1.4 <3.4.0
Published date
April 19, 2019
≈ Fix date
February 1, 2023
Fixed in
Severity
Medium
Category
Cross-Site Scripting