Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable JavaScript libraries #83

Open
weblendweb opened this issue Apr 3, 2020 · 7 comments
Open

Vulnerable JavaScript libraries #83

weblendweb opened this issue Apr 3, 2020 · 7 comments

Comments

@weblendweb
Copy link

Security alert

Your app contains one or more libraries with known security issues. Please see this Google Help Center article for details.

Vulnerable JavaScript libraries:

Name Version Known issues Identified files
jquery 1.9.1 SNYK-npm:jquery:20110606
SNYK-npm:jquery:20150627
SNYK-JS-JQUERY-174006 assets/www/h5p/js/jquery.js
Affects APK version 30801.

Error in Moodle Mobile App 3.8.1
@donbowman
Copy link

v1.9.1 (~2013 release) was the last to support IE6/7/8.
It is not supported on Cordova (https://blog.jquery.com/2013/04/18/jquery-2-0-released/).
v2.0 was released in 2013.
v3.0 was released in 2016

there are some breaking changes between each of these major. Definitely for the moodleapp 1.9 is no good.

Does anyone know of a reason not to upgrade to latest jquery?
It would seem the steps are to first frun the v1 migration tool (to get from v1.9 to v1.12)
then the v2 migration tool https://github.com/jquery/jquery-migrate/#README

@icc
Copy link
Member

icc commented Apr 22, 2020

H5P was originally created with support for IE8 which has since been dropped. However, some of the content types are still dependant on jQuery 1.9. I believe an upgrade would require a fair amount of time with refactoring and testing. So, until now the 1.9 in H5P has been manually patched for any known issues.

@donbowman
Copy link

any comment on what manually patched means?

Doing a diff against the upstream from https://code.jquery.com/jquery/, it appears the one in the h5p git repo only has 1 difference, the following is appended:

// Snap this specific version of jQuery into H5P. jQuery.noConflict will
// revert the globals to what they were before this file was loaded.
var H5P = window.H5P = window.H5P || {};

/**
 * jQuery v1.9.1
 *
 * @member
 */
H5P.jQuery = jQuery.noConflict(true);
H5P.jQuery.ajaxPrefilter(function (s) {
  if (s.crossDomain) {
    s.contents.script = false;
  }
});

the concern is since there are known sec vulnerabilities against that version (and probably many unknown since people stopped reporting them about 5 years ago).

@cescobedo
Copy link

cescobedo commented May 14, 2020
edited

Hi,

from MoodleHQ we are working on fix this issue (https://tracker.moodle.org/browse/MDL-68704) and once this issue will be fixed we would like to do a pull-request in order to H5P could integrate the solution.
It is important to notice that there are two vulnerabilities:

  1. SNYK-JS-JQUERY-174006 - Manual patch fix this. Easy to fix.
  2. SNYK-npm:jquery:20150627 - I would require to upgrade to 1.12.2 with the previous patch applied.

Cheers.

@fehwalker
Copy link

I see this old jquery library is updated in the master branch but not in the most current release from Dec 2022. Do you know when this will be added to a release?

@cmurtagh
Copy link

This is also becoming an issue, as we have 3rd party scans that are revealing this vulnerability. Any guess as to the effort of bringing jQuery up to date here?

@fehwalker
Copy link

The code is already updated, but hasn't yet been released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@icc @fehwalker @cmurtagh @cescobedo @donbowman @weblendweb