Support » Fixing WordPress » Google Lighthouse sees jquery 1.12.4 as vulnerable

  • Jack

    (@moxie)


    I was checking my site in Google Lighthouse tool for optimisation. It says I’m using a vulnerable jquery version which is part of WordPress. How serious is this and why hasn’t this been addressed by WP?

    ….. Includes front-end JavaScript libraries with known security vulnerabilities
    Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers…..

    https://jackdaw.stackstorage.com/s/3BHWpaxAqJYBMG0

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    There is a known issue, however, it is not a particularly significant one.

    The issue in question is here: https://github.com/jquery/jquery/issues/2432

    The long explanation is a bit complicated, but essentially, if some javascript code calls jQuery to get data from a site on another domain, and that domain then returns javascript, then that javascript can get executed in the context of that page.

    There are easy mitigations that javascript authors can do to avoid this, such as passing the proper datatype to jquery calls that they make. This is generally pretty easy and a lot of code mitigates it quite well.

    As for why WordPress has not addressed it, this is because the problem is fixed in jQuery 3.0 and up, but jQuery 3.0 and up is not backwards compatible with jQuery 1.12.4. So, simply replacing the jQuery library in WordPress would basically break all plugins and themes that use jQuery itself.

    A problem like this is unlikely to actually affect your site in any way, unless you use badly made themes or plugins. And realistically, when jQuery code wants to get data from other sites that use javascript, then they tend to use the JSONP request formats, which essentially does this exact same thing, only intentionally instead of by accident. So, it’s an unlikely issue to crop up in the first place.

    Moderator Steve Stern

    (@sterndata)

    Support Team Volunteer

    PS: Lighthouse also detects a “High Severity” in jQuery UI 1.11.4 (although its CVSS score is a 4.3

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Google Lighthouse sees jquery 1.12.4 as vulnerable’ is closed to new replies.