AUTHOR: Attila Antal
DATE POSTED: August 27, 2019
jQuery versions 1.11.1 and 1.12.4, which are embedded in various versions Telerik UI for ASP.NET AJAX, have the Cross-site Scripting (XSS) and Prototype Pollution vulnerabilities.
These vulnerabilities may be reported by static code scan tools as coming from the Telerik UI for ASP.NET AJAX suite or Telerik.Web.UI.WebResource handler.
A potential attack requires the following:
Thus, your application in itself should not be exposed to a threat. Your end users should not be exposed via your application as well, yet fully protecting them is not possible from a developer perspective.
In general, static security scans should be reviewed in context. More often than not, issues they report are false positives and have their justifications. In this instance, the application code must be vulnerable, or the end user must already be compromised, in order for an attack to take place. The former is in the domain of the application developer, the latter is out of the developer's area of influence. Such an attack could/would occur regardless of the jQuery version present in our assembly.
The following two fixes were backported to the Telerik jQuery. The code for these backports was provided by the jQuery team.
You can include external jQuery with another version of your choice. Instructions for that are described in the Using jQuery and Disabling the Embedded jQuery articles. When you disable the jQuery embedded in the Telerik.Web.UI assembly, you must provide your own version. Note that static code scans may still detect the existence of the Telerik jQuery in our assembly and still produce a false positive warning, even though it is not loaded on the web pages.