PowerApps Portals jQuery 3.0 vulnerability

(0) Share

Report

Posted on by tacklers

150

Our security team have identified that our OOB Portal has a jQuery vulnerability shown on the National Data Base as

CVE-2019-11358

I gather that jQuery is a Portal building block so what can, or should I do to mitigate this risk?

jQuery versions below 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. An unsanitized

source object containing an enumerable __proto__ property could extend the native Object.prototype

With script attacks handled by ASP.NET 'Request Validation' feature does this also block the jQuery risk?

Cheers, Richard U.k

Categories:

Power Apps portals

I have the same question (0)

All responses (10)

Answers (0)

ragavanrajan 7,044 Most Valuable Professional on at

Like (0)

Report

Hi @Gatwick

There is no easy way to upgrade inbuilt jQuery framework. If there is a security issue kindly raise ticket with Microsoft as a higher priority.

They can deal with this.

Please let is know if you have difficulty in this process. Otherwise I will raise it with product team.

Hope it helps.

------------

If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

Was this reply helpful? Yes No
tacklers 150 on at

Like (0)

Report

Hi Ragavanrajan,
Thanks V3 is now five years old. I've raised the update as an idea so please share as I bet you have a lot of contacts!
Portals-jQuery-Portals-is-FIVE-YEARS-out-of-date

If it cannot be updated do you know if the vulnerabilities act as rouge HTML so would be captured by ASP.NET Request Validation? If not any suggestions as to how I can reassure our security team?

Cheers, richard U.K

Was this reply helpful? Yes No
ragavanrajan 7,044 Most Valuable Professional on at

Like (0)

Report
Hi @Gatwick,

I have upvoted the idea. I completely agree jQuery 3.0 is five years old. PowerApps portal bootstrap version is also old. Please raise a ticket with Microsoft regarding this. When I get a chance to speak to the portal engineering team I will highlight this as a security issue and check their upcoming roadmap.

I have tried upgrading the jquery version and it seems to be updated to jquery 3.6.0

In portal studio

1. Home page > edit the source code and add the following code

<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>

Press sync configuration and browse the website

Output:

In Portal console

Hope it helps.
------------

If you like this post, give it a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users to find it.

Was this reply helpful? Yes No
tacklers 150 on at

Like (0)

Report

Hi Ragavanrajan, thanks for your help, sounds great but could you give me a bit more guidance please.
1. I edited the Home/HTML in portal management as per the screen shot but that can't be right as it breaks the front side editor so I reverted.
2. I don't know how to get to the HTML in portal studio. Many thanks, Richard

jQuery-html-to-3-...

Was this reply helpful? Yes No
tacklers 150 on at

Like (0)

Report

Hi Ragavanrajan, I did try again wrapping the <script> in <head> tags but when I check on the front side editor the head and script HTML is not there. help appreciated! Cheers, richard

jQuery-html-to-3-...

Was this reply helpful? Yes No
tacklers 150 on at

Like (0)

Report

Hi Ragavanrajan, I put my brain in gear and edited the HTML in the studio with the Scrip 3.6 insert. Attachments show the edit and how it surfaces in the browser developer inspection. BUT it still fails on the Lighthouse test which sees V3.0 Should that home page V3.6 script persist across all pages? Cheers, Richard

jQuery-3-6-shown-...

jQuery-3-still-di...

jQuery-3-6-script...

Was this reply helpful? Yes No
tacklers 150 on at

Like (0)

Report

Hi, I've been looking around to see why those jQuery V3.0 findings still persist, might this be a suspect? cheers, Richard

jQuery-3-referenc...

Was this reply helpful? Yes No
ragavanrajan 7,044 Most Valuable Professional on at

Like (0)

Report

Hi Richard,

For me, jquery is showing as 3.6.0. And it is upgraded. 😀 But keep in mind that you also need to update the dependent libraries for JQuery 3.6.0. I am not sure about the risk of taking it to production. So please play around in your dev environment.

Here are the steps for you.

Pre: Download Jquery minified version in your local

Log in to portal management.

1. Click Settings > Advanced Settings

2. In the Dynamics 365 Settings > Customise the system

3. Click Web resources > Filter the name which starts with j > you can find jquery

4. Replace the current jquery with your recent downloaded one.

Note: You may need to unblock your JS extension in Dynamics 365 if needed

We are done now.

In Portal studio,> Refresh the page > Sync configuration and browse the website. Press Ctrl + F5

In the console, try the following

As mentioned above, you may need to upgrade and perform the above steps for the following dependent library of jquery

I can't think of any other alternative way. Unless the Portal engineering team decided to upgrade jquery and bootstrap.

Hope it helps.
------------

If you like this post, give it a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users to find it.

Was this reply helpful? Yes No
tacklers 150 on at

Like (0)

Report

Hi Ragavanrajan, gosh, you know your way around, I'll be trying this in a while, thanks for the advice, whilst 3.6 shows for you in the console if you run a vulnerability scan, say from Lighthouse, does it report V3.0 issues after you've got 3.6 loaded? Cheers, Richard

Was this reply helpful? Yes No
ragavanrajan 7,044 Most Valuable Professional on at

Like (0)

Report

Hi Richard,

Yes, I did run the lighthouse report. The dependencies which I have posted is from the light house report.

Please give it a try and let me know how you are getting on. Thanks

Kind Regards

Ragavan

Was this reply helpful? Yes No