jQuery vulnerability -- upgrade needed

[MrPhil]

jQuery has a (recently patched) vulnerability to "prototype pollution" attacks, which can be used to escalate authority of hackers and do nasty things.

Article: https://www.zdnet.com/article/popular-jquery-javascript-library-impacted-by-prototype-pollution-flaw/

Quote

Tal, who worked with the Node.js team to report the bug to the jQuery team, recommends that web developers update their projects to the latest jQuery version, v3.4.0.

Today, most websites are still using the 1.x and 2.x branches of the jQuery library, which means that the vast majority of jQuery-based apps and websites are still open to attacks.

The article goes on to note that there have been some API changes since v1 and v2, so upgrading jQuery is more than just dropping in a new library.

[burt]

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries

[puddlec]

6 minutes ago, burt said:

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries

not in the admin, still on 2.x branch,  ui is also out of date now at 1.12.1 

jquery-2.2.3.min.js

jquery-ui-1.10.4.min.js

[puddlec]

just had a quick look to see what i could see  in terms of jquery

also seen references to 1.x branch 

  document.write('<scr' + 'ipt src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></scr' + 'ipt>');

was found in admin/paypal.php

admin/orders.php

admin/includes/modules/dashboards/d_paypal_app.php

catalog/includes/modules/payment/paypal_pro_dp.php

catalog/includes/modules/payment/paypal_pro_hs.php

 

jquery 2.x in

admin/includes/template_top 

 

jquery 3.x in

catalog/includes/template_bottom.php

 

that covers all the references to jQuery that i have found (based on latest version of edge) 

[♥Stephan Gebbers]

Quote

Taking into account that there's some syntax breakage between the three major versions and that web developers would rather throw acid on their face than re-write their frontends, most websites are bound to continue to use older versions for the foreseeable future.

Fortunately, the patch has been backported to previous releases.

https://github.com/DanielRuf/snyk-js-jquery-174006

[burt]

3 hours ago, puddlec said:

not in the admin, still on 2.x branch,  ui is also out of date now at 1.12.1 

jquery-2.2.3.min.js

jquery-ui-1.10.4.min.js

Admin side is not started. 

Waiting on more support from individuals and companies using osCommerce, in order to march forward.

[milerwan]

On 4/25/2019 at 3:17 PM, burt said:

Note that CE has been on the 3.x jQuery for over 2.5 years. 

CE is presently on 3.3.1 (edge) and 3.1.1 (frozen), easy way to check external libraries on the Wiki;

https://github.com/gburton/Responsive-osCommerce/wiki/External-Libraries

Hi Burt,

I have an old 2.3.4 version (always under jquery-2.2.3) and when I try to update by jquery-3.4.x, I have issues with :
- data-toggle="dropdown"
- data-toggle="tab"
- modal cart module
etc

What are the changes to operate to be in line with the new version of jquery ?
Is it necessary to update Bootstrap version too to make the new jquery version works or no consequence ?

Thank you for your time.

[burt]

@milerwan I do not recall any issues like that, sorry.  Maybe you can update to Phoenix? 

And get rid of all the sliders on your home page, I have a headache now  

[Demitry]

I have BS Edge running on PHP 7.2 and decided to try updating the jQuery version from 3.1.1 to 3.4.1 on the catalog side.

I cannot see any issues at this point. The checkout seems to work fine and nothing seems to be off.

Is there anything in particular I should be looking for? Nothing seems to be breaking the site or causing problems.

And, are there any other changes I need to make, other than adding the new jQuery 3.4.1 file to /ext/jquery/ folder and changing the call for that file in /includes/template_top.php?

 

[Demitry]

hi Phil,

Quote

The article goes on to note that there have been some API changes since v1 and v2, so upgrading jQuery is more than just dropping in a new library.

What API changes are there? As I mentioned in the post above, I installed the latest jQuery v3.4.1 and everything is running smooth. Are there any other changes I need to make?