Steps to Reproduce
The jQuery $.load() command provides a simple way to load content from other servers and insert it into the current web page. By design, as part of its sanitization process, it is supposed to remove “<script>” tags to ensure that malicious code cannot be inserted into the page and executed.
The vulnerability fails to recognize and remove “<script>” tags that contain a whitespace character, which can result in Cross-site Scripting attacks by including malicious code in the included script.
Addressing the Issue
Clients using jQuery prior to 1.9.1 should upgrade immediately to this version, which contains the fix. Alternatively, clients who need to still remain on 1.6 may leverage HeroDevs Never Ending Support which provides versions of jQuery with this and other CVEs remediated.
Learning and Prevention
Typically, jQuery employs multiple methods to sanitize data. In this case, the actual sanitization method had a vulnerability in it. In these cases, the best business practice is to stay abreast of security updates so that your servers are vulnerable for the least amount of time once the exploit has been published publicly.
Conclusion
HeroDevs jQuery Never-Ending Support can make your team’s life easier and more convenient by ensuring that it has the latest, secure code for all your important dependencies. Contact HeroDevs today to sign up for our comprehensive support service.
Resources
NIST CVE-2020-7656 entry
Get alerted whenever a new vulnerability is fixed in the open source software we support.