Telerik control uses old version of jQuery (1.12.4) facing vulnerability.

1 Answer 530 Views
General Discussions
Ratan
Top achievements
Rank 1
Ratan asked on 18 May 2023, 06:49 AM

I'm using the latest version of Telerik AJAX control but still facing issue because Telerik control uses old version of jQuery (1.12.4) so guide me to avoid vulnerability.

1 Answer, 1 is accepted

Sort by
0
Rumen
Telerik team
answered on 18 May 2023, 07:49 AM

Hi Ratan,

All Telerik.Web.UI releases after R1 2019 include a custom jQuery version (1.12.4) that implements backports to address the known jQuery vulnerabilities. Although, we tried to upgrade to jQuery 3 that didn't go well due to Microsoft AJAX limitations in the ASP.NET WebForms framework, so we had to revert to jQuery 1.12.4.

In the jQuery Version History in Telerik UI Controls, you can find the history of the different jQuery versions we used in the previous versions, and in the Embedded jQuery Security section the jQuery vulnerabilities we have fixed along with their CVEs, e.g.

As of R1 2019, Telerik UI for ASP.NET AJAX ships a custom jQuery 1.12.4, with backport fixes incorporated to eliminate known vulnerability issues for 1.12.4 version. Here is a list of security fixes introduced to the custom jQuery script embedded in the Telerik.Web.UI assembly and their related CVE reports:

If you do not want to stick with jQuery 1.12.4, configure the Telerik Ajax controls to use an external jQuery. You can disable the embedded jQuery library and include an external one as a replacement. This lets you use your own version for the $telerik.$ variable, which exposes the embedded jQuery library. That way you can have complete control over the used version of jQuery. You can find instructions on how to use external jQuery in the Including external jQuery section.

Best Regards,
Rumen
Progress Telerik

Heads up! Telerik UI for ASP.NET AJAX versions for .NET 3.5 and 4.0 are retired. Progress will continue shipping assemblies compatible with .NET 4.5 and later. See whether this affects your apps in this article.
Danny
Top achievements
Rank 1
commented on 19 Sep 2023, 02:02 PM

What options do we have to address the pen-test result that marked the use of jQuery version 1.12.4 

has reached end-of-life status, no longer receives security updates, and has known security issues? 

Attila Antal
Telerik team
commented on 22 Sep 2023, 10:30 AM

Hi Danny,

The embedded jQuery has addressed all the security vulnerabilities and it is safe to use. The official documentation confirms that. Scanning applications may detect it still, but you can ignore it or exclude it from scanning. You can choose the one that is best for you.

Tags
General Discussions
Asked by
Ratan
Top achievements
Rank 1
Answers by
Rumen
Telerik team
Share this question
or