JQuery version is exposed

Issue

  • Possible information leakage by disclosure of the used JQuery version in the loaded JS files.

Environment

  • Liferay DXP 7.0+

Resolution

  • Hiding the version in JQuery is against the the license, where they explicitly wrote that "You are free to use the Project in any other project (even commercial projects) as long as the copyright header is left intact".
  • If we trim that part of the code, you can still retrieve the information about the version through the browser console with jQuery().jquery or $.fn.jquery or jQuery.fn.jquery ** 
     
  • An attacker could figure out the version of the library by comparing files or just checking public Liferay repository, because we are open source, and by inspecting our Github repository, they are going to get this information.
     
  • At Liferay we are committed to fight against security vulnerabilities, and regarding third-party libraries, we do it keeping them updated as soon as any vulnerability is reported in the version we are using.
     
  • If you have detected some vulnerability in the current jQuery or any other third-party library, please let us know, so we can analyse it, and we can update them to a safe version.
这篇文章有帮助吗?
0 人中有 0 人觉得有帮助