What version of jQuery being used in the latest version of Telerik UI for ASP.NET AJAX

You are welcome, RajeshN! Keep me in touch.

Regards,
Rumen
Progress Telerik

Hello Allen,

Could you please elaborate which table exactly you are referring to as an "outdated table"?

Here, the versions are correct:

• https://docs.telerik.com/devtools/aspnet-ajax/general-information/using-jquery/using-jquery#jquery-version-history-in-telerik-ui-controls
• Telerik® UI for ASP.NET AJAX R1 2019 - present are using a modified jQuery version 1.12.4 that includes security vulnerability backport fixes. Find more info in the Embedded jQuery Security section.

Regards,
Peter Milchev
Progress Telerik

Hi Peter.  Thank you for the tresponse.  If you look at the referenced table, it says:

jQuery Version History in Telerik UI Controls
Telerik® UI for ASP.NET AJAX R1 2019 - present are using a modified jQuery version 1.12.4 that includes security vulnerability backport fixes. Find more info in the Embedded jQuery Security section.
Telerik® UI for ASP.NET AJAX R2 2018 SP1 - R3 2018 are using jQuery version 1.12.4 (downgraded from 3.3.1 in R2 2018

This table says nothing about 2020 versions, so is it to be inferred that R2 2020 etc. are also using jQuery1.12.4? 

Should be unambiguous - for each release listed, the exact version of Telerik, or a version range, maybe, and the exact version of jQuery embedded/used. And, is your version of 1.1.2.4 any different than what I can download from this:

<script   src="https://code.jquery.com/jquery-1.12.4.min.js"   integrity="sha256-ZosEbRLbNQzLpnKIkEdrPv7lOy9C27hHQ+Xp8a4MxAQ="   crossorigin="anonymous"></script>

Telerik Release     jQuery            Telerik modifications

2020.x.y                 1.12.4            added .... removed .... incorporates .....

etc. etc. etc.

Hello Allen,

As we have discussed in the support thread, it is mentioned that the recent versions since R1 2019 are all using a modified version of jQuery 1.12.4 as explained here:

• https://docs.telerik.com/devtools/aspnet-ajax/general-information/using-jquery/using-jquery#embedded-jquery-security

I agree that it is not clearly visible and easy to miss, so we will review that and update the table to clearly indicate that this applies to all versions since R1 2019.

Regards,
Peter Milchev
Progress Telerik

Why doesn't Telerik’s embedded version of jQuery report a modern or custom version number so that it won’t to be flagged as a failure every time a client has a PCI or other security scan. This is becoming a significant issue for us and one that I constantly have to defend against to our client’s and their security auditors.
https://www.telerik.com/support/kb/aspnet-ajax/details/vulnerabilities-of-jquery-versions-embedded-in-ui-for-asp.net-ajax

All that most penetration test scanners see is the version and instantly declare it evil. The most recent jQuery CVE says: 

Vulnerability Details : CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Why persist in proclaiming a version from (May 20, 2016)? If this is in hopes of maintaining IE 6–8 support, I think it's time to move on or configure a way to select which version to use. 

We tried option 2 from the article above, but despite having jQuery 3.5.1 installed, several Telerik controls failed. So we will update to the latest version of the Ajax controls but they will still report a flawed, vulnerable, 4.5 year old version of jQuery.

Hello everyone,

I agree with you that it is pretty inconvenient and annoying to get warnings by the security scanners for the used version of jQuery.

We can not, unfortunately, upgrade the jQuery to its latest release because it is not compatible with the MS AJAX (ASP.NET Web Forms) framework. The __doPostBack method of MS AJAX does not work (postback) with jQuery 3.x.x (see Breaking change: jQuery 3.0 runs in Strict Mode, here and here) and this is causing problems in a number of Telerik AJAX components in Firefox.

That's why we backported all known security fixes from jQuery 3.x in the customized version of jQuery 1.12.4 distributed with the AJAX suite to ensure that there aren't any known security holes in it.

The https://docs.telerik.com/devtools/aspnet-ajax/general-information/using-jquery/using-jquery#embedded-jquery-security page is up-to-date and includes all the information about the changes and improvements we made in the custom jQuery we distribute with the suite.

Best Regards,
Rumen
Progress Telerik

Hi Mark,

Thank you for sharing your nice idea.

The jQuery version distributed by Telerik.Web.UI is 1.12.4 - it just incorporates three security fixes provided by the jQuery team - they are listed in this article Embedded jQuery Security. We are not aware of any security problems and haven't received any vulnerabilities reports.

Even if we update or remove the version from the embedded jQuery file, there isn't any guarantee that the security scanners will stop reporting it as vulnerable since they are mainly looking for the jQuery version.

On the other hand, we cannot contact all the security companies to explain to them that we have applied the patches provided by jQuery and ask them to tweak their tools to not mark the custom version.

That is why we suggest everybody who does not trust the embedded jQuery in Telerik.Web.UI to import their desired version of jQuery - Including external jQuery.

Best Regards,
Rumen
Progress Telerik

Rumen, you have been more than clear all along. The question is not whether Telerik has done the responsible thing and updated your variant to be 'safe' and avoid the security holes innate to the widely distributed versions of jQuery.  The basic problem seems to be that scanners are not finding the 'magic strings' they expect within the Telerik jQuery / source, and raise an alarm, as they should.

Would it be even remotely possible to consider some sort of aliasing that would bypass/spoof the scanner's check while not compromising true security?  This is not necessarily risky per se if you provide appropriate hash verifications and what not to ensure that all that is truly different in an aliased version compared with the base 1.2.4 is the version.  Certainly this will not work if the security scanners are smart enough to look deeper into the actual jQuery but... maybe?  Licensees can decide to accept or reject this risk at their peril.

Happy New Year.  Gotta be better than this past one.

Hi Allen,

Happy New Year 2021! I wish you health and a lot of happiness to you and your family!

From a secure point of view, we are not allowed to trick the scanners and it would be bad practice. What is more important here is how the scanners work and whether they check the Telerik.Web.UI.dll or just the Telerik web resources files which are served by the server.

Do you get any errors/warnings when the Telerik UI components are configured to use an external jQuery? 

I also tested Telerik.Web.UI with jQuery 3.5.1 and noticed that the __doPostBack() problem-related to the  "use strict" rule in Firefox is not reproducible, which is great news. The only known problem which still persists is the one with the boundaries detection discussed in this feedback portal item. None of the other issues listed in the sticky thread is reproducible with jQuery 3.5.1.

That's why can you please test your app with external jQuery 3.5.1 and let me know whether:

• the vulnerability scanners which you use still marks the jQuery version used by the Telerik ASP.NET AJAX controls as vulnerable?
• there are any problems, visual and functional with the Telerik AJAX controls and in their behavior?

Thank you!

Best Regards,

Rumen
Progress Telerik

Hi all,

• the vulnerability scanners still mark the jQuery version used by the Telerik ASP.NET AJAX controls as vulnerable? If yes, which scanner did you use and what was the test result exactly (please provide a screenshot of the result)? 
• there are any problems (except the known boundary detection issue) - visual, functional, side effects with the Telerik AJAX controls?

Best Regards,
Rumen
Progress Telerik

I am not so sure this will be easy to do.  Maybe I am clueless, again, but it seems like your syntax conventions for jQuery calls are different from the mainstream???  I have encountered problems with standard jQuery calls when NOT loading the external and relying on the built-in.  I can try to find an example but something like the following misbehaved (as I recall) so I had to comment it out. It would be quite helpful to see where your shortcuts such as $find either replace or complement the standard jQuery equivalent?

Keeping this thread alive may be a beating a dead horse, to use a cliche...

Hi Allen,

When using the embedded jQuery in Telerik, you can get access to it via

var $ = $telerik.$

so your example code should become

$telerik.$.find("#mapLegend")[0].appendChild(helpIcon);

or 

<script>
    var $ = $telerik.$
    $(document).ready(function () {
        var helpIcon = document.createElement('i');
        helpIcon.className = ("fas fa-question fa-sm button-icon-black button-icon ");
        $.find("#mapLegend")[0].appendChild(helpIcon);
    });

</script>
<span id="mapLegend"></span>

as explained in this article Using the jQuery Brought by Telerik.

Regards,
Rumen
Progress Telerik