jQuery cross-site scripting vulnerability affects a large number of websites

Snyk released its 2019 JavaScript Framework Security Report (PDF), which looked at three other popular JS front-end frameworks, Vue.js, Bootstrap, and jQuery, in addition to the most popular JS frameworks and Express and React security vulnerabilities.

jQuery has been downloaded more than 120 million times in the past 12 months, the sum of 40 million for Vue.js and 79 million for Bootstrap. Vue.js found four vulnerabilities that have been fixed.

jQuery cross-site scripting vulnerability affects a large number of websites

Bootstrap found seven cross-site script vulnerabilities, three of which were disclosed in 2019 without security fixes. jQuery identified six security vulnerabilities affecting all versions, four for medium-risk cross-site scripting vulnerabilities, one for mid-range Prototype Pollution, and one for low-risk denial of service vulnerabilities.

Versions above jQuery 3.4.0 are not affected by the vulnerability. The jQuery ecosystem also found several malicious extension packages, including jquery.js, jquery-airload, github-jquery-widgets, jquery-mobile, jquery-file-upload, and jquery-colorbox, these packages have been downloaded in the past year from a few hundred to a few thousand.

Add a Comment

Your email address will not be published. Required fields are marked *