If you are having concerns with the jQuery version 1.11.1, you can always import another version. Instructions for that are described in the Using jQuery and Disabling the Embedded jQuery articles.
A potential attack requires the following:
- The end user to perform a badly formed AJAX request without a data type. Your application code should not do that anyway.
- The response to be malicious. Your application should not be doing that either.
- For CORS requests - the end user must request data from a third party site manually (via the dev toolbar) and that data must attack the end user. Such a request should not be a part of the application code and if the user did that themselves, you cannot stop them. If the user is already compromised and third party code already executes in their browser, then the attacker can easily include the needed jQuery version even if your site brings jQuery 3 already.
- The jQuery variable must be widely known like window.$. Ours is in window.$telerik.$ so a generic attack would hardly know where to look for it. If the attacker is that specific, they could easily include jQuery 1.11.1 themselves, as part of the attack, instead of looking for ways to exploit the existing page.
Thus, your application in itself should not be exposed to a threat. Your end users should not be exposed via your application as well, yet fully protecting them is not possible from a developer perspective.
In general, static security scans should be reviewed in context. More often than not, issues they report are false positives and have their justifications. In this instance, the application code must be vulnerable, or the end user must already be compromised, in order for an attack to take place. The former is in the domain of the application developer, the latter is out of the developer's area of influence. Such an attack can/will occur regardless of the jQuery version present in our assembly.
Get quickly onboarded and successful
with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.