I have the following script tags in my .NET framework file
<script src="~/Scripts/kendo2020/2020.3.1021/jquery.min.js"></script>
<script src="~/Scripts/kendo2020/2020.3.1021/kendo.all.min.js"></script>
<script src="~/Scripts/kendo2020/2020.3.1021/kendo.aspnetmvc.min.js"></script>
<script src="~/Scripts/kendo2020/2020.3.1021/jszip.min.js"></script>
<script src="~/Scripts/jquery.blockUI.js"></script>
<script src="~/Scripts/jquery.cookie-1.4.1.min.js"></script>
The JQuery version I am using is 3.5.1.
I have also added the following snippet under the WebConfig file.
<appSettings>
<add key="Telerik.ScriptManager.EnableEmbeddedjQuery" value="false" />
</appSettings>
When I run a security scan, it flags the aspnetmvc.min.js file with Client DOM XSS and Prototype Pollution vulnerabilities.
Is there a way to fix it?
Hi AJ,
Can run a scan over a non-minified version of the file so that you can share which is the piece of code the report is addressing? Also, share the security report tool you are using?
Currently, there are reports from the Checmarxx security tool related to this file that comes from the serve-side binding of the Grid and it is a false-positive report.
If it is Checkmarxx, the report about this file is false-positive and it is related to this feature here: https://demos.telerik.com/aspnet-mvc/grid/serverbinding. The feature is about dynamically changing the location URL so that it can accomplish server-side operation.
Here you are the official response about this report:
"This part of the code is used only in one scenario, a grid with server binding, and in this case, we do need to alter the parameters in order to reflect the changes to the UI. The URL is generated depending on the grid's state, thus the data is again safe. Nevertheless, if you are not using server binding, this piece of code will never run."
Note, that Checkmarxx scans the code only and reports potential vulnerabilities based on code. It does not report vulnerabilities that are effective.