Author Topic: Retirable jQuery library (Read 1569 times)

polonus · « **on:** May 24, 2020, 02:45:24 PM »

Found on a DOM-XSS scan: Results from scanning URL:
-https://code.jquery.com/jquery-1.11.2.min.js
Number of sources found: 43
Number of sinks found: 19
Mitigated through Decentraleyes extension...chrome-extension://ldpochfccmkkmhdbclfhpagapcfdljkj/resources/jquery/1.11.2/jquery.min.jsm?_=920a76b773470b239f10c261

Re: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Xl0jey5qcXV7fXkuXl1tYGpxdXt9eS0xLjExLjIubVtuLmpz~enc

Medium risk threat: https://retire.insecurity.today/#!/scan/ad88518ae1feecd035f9a64f255e3818222c108e6bf2749a905271c9a72dfd46

/jquery-1.11.2.js
issue 2432
issue 11974
issue 4642
issue 4647

Bug 9521 - $("#<img src=x onerror=...>")
Bug 11290 - $("element[attribute='<img src=x onerror=...>'")
jQuery issue 2432 - 3rd party $.get() auto executes if content type is text/javascript
jQuery issue 11974 - parseHTML executes inline scripts like event handlers
jQuery issue 4642 - htmlPrefilter unwraps things it shouldn't
jQuery issue 4647 - select/option wrapping unwraps can cause XSS

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

polonus · « **Reply #1 on:** May 24, 2020, 03:15:20 PM »

Test whether Decentraleyes is fully operational
(allow javascript to run in uMatrix please)

Re: https://decentraleyes.org/test/

Preferred result:

All tests completed.
Decentraleyes is fully operational.

pol

Author Topic: Retirable jQuery library (Read 1569 times)

polonus

Retirable jQuery library

polonus

Re: Retirable jQuery library