Issue
- Possible information leakage by disclosure of the used JQuery version in the loaded JS files.
Environment
- Liferay DXP 7.0+
Resolution
-
Hiding the version in JQuery is against the the license, where they explicitly wrote that "You are free to use the Project in any other project (even commercial projects) as long as the copyright header is left intact".
-
If we trim that part of the code, you can still retrieve the information about the version through the browser console with jQuery().jquery or $.fn.jquery or jQuery.fn.jquery **
-
An attacker could figure out the version of the library by comparing files or just checking public Liferay repository, because we are open source, and by inspecting our Github repository, they are going to get this information.
-
At Liferay we are committed to fight against security vulnerabilities, and regarding third-party libraries, we do it keeping them updated as soon as any vulnerability is reported in the version we are using.
- If you have detected some vulnerability in the current jQuery or any other third-party library, please let us know, so we can analyse it, and we can update them to a safe version.
Conteúdo Excluesivo para Assinantes
Uma Subscrição do Liferay Enterprise fornece acesso a mais de 1.500 artigos que incluem práticas recomendadas, solução de problemas e outras soluções valiosas. Faça login para obter acesso completo.
Entrar