Rank 1
Hi,
Im using Telerik 2015.1.401.45 version.
In the ScriptResource.axd, it is showing that is using the JQuery 1.11.1 version.
But we wanted to removed the JQuery 1.11.1 reference as there might be vulnerability issue.
Is there any way to remove the JQuery from Telerik and not showing in ScriptResource.axd?
Thanks.
2 Answers, 1 is accepted
Hi Hock,
Telerik UI for ASP.NET AJAX controls are all script controls that heavily rely on JavaScript/jQuery to operate. Eliminating jQuery will basically make the controls stop working.
If you are having concerns with the jQuery version 1.11.1, you can always import another version. Instructions for that are described in the Using jQuery and Disabling the Embedded jQuery articles.
As for the reported vulnerability in jQuery 1.11.1 - in most cases this is considered a false positive or an application logic flaw and the jQuery team gave in to peer pressure when implementing a fix. You can read more of the discussion here: Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses.
A potential attack requires the following:
- The end user to perform a badly formed AJAX request without a data type. Your application code should not do that anyway.
- The response to be malicious. Your application should not be doing that either.
- For CORS requests - the end user must request data from a third party site manually (via the dev toolbar) and that data must attack the end user. Such a request should not be a part of the application code and if the user did that themselves, you cannot stop them. If the user is already compromised and third party code already executes in their browser, then the attacker can easily include the needed jQuery version even if your site brings jQuery 3 already.
- The jQuery variable must be widely known like window.$. Ours is in window.$telerik.$ so a generic attack would hardly know where to look for it. If the attacker is that specific, they could easily include jQuery 1.11.1 themselves, as part of the attack, instead of looking for ways to exploit the existing page.
Thus, your application in itself should not be exposed to a threat. Your end users should not be exposed via your application as well, yet fully protecting them is not possible from a developer perspective.
In general, static security scans should be reviewed in context. More often than not, issues they report are false positives and have their justifications. In this instance, the application code must be vulnerable, or the end user must already be compromised, in order for an attack to take place. The former is in the domain of the application developer, the latter is out of the developer's area of influence. Such an attack can/will occur regardless of the jQuery version present in our assembly.
Kind regards,
Attila Antal
Progress Telerik
Hi Hock,
We have also created a Knowledge Base article addressing the vulnerabilities: Vulnerabilities of jQuery versions embedded in UI for ASP.NET AJAX
Kind regards,
Attila Antal
Progress Telerik