You’re offline. This is a read only version of the page.
Our security team have identified that our OOB Portal has a jQuery vulnerability shown on the National Data Base as
I gather that jQuery is a Portal building block so what can, or should I do to mitigate this risk?
jQuery versions below 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. An unsanitized
source object containing an enumerable __proto__ property could extend the native Object.prototype
With script attacks handled by ASP.NET 'Request Validation' feature does this also block the jQuery risk?
Cheers, Richard U.k
Hi Richard,
Yes, I did run the lighthouse report. The dependencies which I have posted is from the light house report.
Please give it a try and let me know how you are getting on. Thanks
Kind Regards
Ragavan
Hi Ragavanrajan, gosh, you know your way around, I'll be trying this in a while, thanks for the advice, whilst 3.6 shows for you in the console if you run a vulnerability scan, say from Lighthouse, does it report V3.0 issues after you've got 3.6 loaded? Cheers, Richard
Hi Richard,
For me, jquery is showing as 3.6.0. And it is upgraded. 😀 But keep in mind that you also need to update the dependent libraries for JQuery 3.6.0. I am not sure about the risk of taking it to production. So please play around in your dev environment.
Here are the steps for you.
Pre: Download Jquery minified version in your local
Log in to portal management.
1. Click Settings > Advanced Settings
2. In the Dynamics 365 Settings > Customise the system
3. Click Web resources > Filter the name which starts with j > you can find jquery
4. Replace the current jquery with your recent downloaded one.
Note: You may need to unblock your JS extension in Dynamics 365 if needed
We are done now.
In Portal studio,> Refresh the page > Sync configuration and browse the website. Press Ctrl + F5
In the console, try the following
As mentioned above, you may need to upgrade and perform the above steps for the following dependent library of jquery
I can't think of any other alternative way. Unless the Portal engineering team decided to upgrade jquery and bootstrap.
Hope it helps.
------------
If you like this post, give it a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users to find it.
Hi, I've been looking around to see why those jQuery V3.0 findings still persist, might this be a suspect? cheers, Richard
Hi Ragavanrajan, I put my brain in gear and edited the HTML in the studio with the Scrip 3.6 insert. Attachments show the edit and how it surfaces in the browser developer inspection. BUT it still fails on the Lighthouse test which sees V3.0 Should that home page V3.6 script persist across all pages? Cheers, Richard
Hi Ragavanrajan, I did try again wrapping the <script> in <head> tags but when I check on the front side editor the head and script HTML is not there. help appreciated! Cheers, richard
Hi Ragavanrajan, thanks for your help, sounds great but could you give me a bit more guidance please.
1. I edited the Home/HTML in portal management as per the screen shot but that can't be right as it breaks the front side editor so I reverted.
2. I don't know how to get to the HTML in portal studio. Many thanks, Richard
Hi @Gatwick,
I have upvoted the idea. I completely agree jQuery 3.0 is five years old. PowerApps portal bootstrap version is also old. Please raise a ticket with Microsoft regarding this. When I get a chance to speak to the portal engineering team I will highlight this as a security issue and check their upcoming roadmap.
I have tried upgrading the jquery version and it seems to be updated to jquery 3.6.0
In portal studio
1. Home page > edit the source code and add the following code
Share
Report
All responses (
Answers (
<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>
Press sync configuration and browse the website
Output:
In Portal console
Hope it helps.
------------
If you like this post, give it a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users to find it.
Hi Ragavanrajan,
Thanks V3 is now five years old. I've raised the update as an idea so please share as I bet you have a lot of contacts!
Portals-jQuery-Portals-is-FIVE-YEARS-out-of-date
If it cannot be updated do you know if the vulnerabilities act as rouge HTML so would be captured by ASP.NET Request Validation? If not any suggestions as to how I can reassure our security team?
Cheers, richard U.K
Hi @Gatwick
There is no easy way to upgrade inbuilt jQuery framework. If there is a security issue kindly raise ticket with Microsoft as a higher priority.
They can deal with this.
Please let is know if you have difficulty in this process. Otherwise I will raise it with product team.
Hope it helps.
------------
If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.
#1
WarrenBelz
146,658
Most Valuable Professional
#2
RandyHayes
76,287
Super User 2024 Season 1
#3
Pstork1
65,999
Most Valuable Professional
