Saving the day when your open source software is sunsetting
Versions of jQuery before 3.4.0 contain this Medium level vulnerability, called Prototype Pollution. If an unsanitized source object contains an enumerable __proto_property (enumerable means it can be used in a for...next loop), malicious code has access to the native Object.prototype object. With this access, the attacker can extend this fundamental object in ways that all Javascript objects would inherit, thereby introducing many possible attack vectors. The jQuery 3.4.0 Release blog entry has additional explanation that is worth reading.
Clients should update to jQuery 3.4.0 immediately and always ensure their custom programming sanitizes source objects with the aim of preventing the Prototype Pollution vulnerability. For clients unable to migrate to jQuery 3, HeroDevs provides Never Ending Support for jQuery 1 and 2 with fixes in place.
In addition to sanitizing objects, there are many practices that help avoid the problem, from using immutable objects to property whitelisting to using Object.create(null) to create an object without a prototype. Note that this list is not exhaustive and jQuery developers should be knowledgeable in safe programming practices to reduce the risk of this sort of exploit.
HeroDevs jQuery Never-Ending Support provides versions of jQuery 1 as well as jQuery 2 with fixes in place to correct the potential security hole described by CVE-2019-11358. To stay apprised of security updates like these, contact us today to become a customer.
Get alerted whenever a new vulnerability is fixed in the open source software we support.
.svg)
.svg){kind=small}
.svg){kind=small}