I'm using the latest version of Telerik AJAX control but still facing issue because Telerik control uses old version of jQuery (1.12.4) so guide me to avoid vulnerability.
1 Answer, 1 is accepted
0
Rumen
Telerik team
answered on 18 May 2023, 07:49 AM
Hi Ratan,
All Telerik.Web.UI releases after R1 2019 include a custom jQuery version (1.12.4) that implements backports to address the known jQuery vulnerabilities. Although, we tried to upgrade to jQuery 3 that didn't go well due to Microsoft AJAX limitations in the ASP.NET WebForms framework, so we had to revert to jQuery 1.12.4.
As of R1 2019, Telerik UI for ASP.NET AJAX ships a custom jQuery 1.12.4, with backport fixes incorporated to eliminate known vulnerability issues for 1.12.4 version. Here is a list of security fixes introduced to the custom jQuery script embedded in the Telerik.Web.UI assembly and their related CVE reports:
If you do not want to stick with jQuery 1.12.4, configure the Telerik Ajax controls to use an external jQuery. You can disable the embedded jQuery library and include an external one as a replacement. This lets you use your own version for the $telerik.$ variable, which exposes the embedded jQuery library. That way you can have complete control over the used version of jQuery. You can find instructions on how to use external jQuery in the Including external jQuery section.
Best
Regards,
Rumen
Progress Telerik
Heads up! Telerik UI for ASP.NET AJAX versions for .NET 3.5 and 4.0 are retired. Progress will continue shipping assemblies compatible with .NET 4.5 and later. See whether this affects your apps in this article.
What options do we have to address the pen-test result that marked the use of jQuery version 1.12.4
has reached end-of-life status, no longer receives security updates, and has known security issues?
Attila Antal
Telerik team
commented on 22 Sep 2023, 10:30 AM
Hi Danny,
The embedded jQuery has addressed all the security vulnerabilities and it is safe to use. The official documentation confirms that. Scanning applications may detect it still, but you can ignore it or exclude it from scanning. You can choose the one that is best for you.