If you’ve recently run a vulnerability scan or PCI scan on your Magento 1 or Magento 2 website, you’ve probably seen a vulnerability like this appear:
Asynchronous JavaScript and Extensible Markup Language Request Crosssite Scripting Vulnerability
jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a crossdomain Asynchronous JavaScript and Extensible Markup Language (AJAX) Request is performed without the dataType option, causing text/javascript responses to be executed.
jQuery version 1.10.2 < 3.0.0
CVE: CVE-2015-9251
Overview of the issue:
That’s a lot of text! The security warning states that any version of jQuery < 3.0.0 has a cross-site-scripting (XSS) vulnerability related to jQuery’s AJAX middleware. Since the vulnerability is related to XSS, it’s an automatic fail for PCI DSS compliance scans.
If you’re not sure whether or not your site is compromised, you can run the below javascript code in your Chrome Console:
jQuery.get('https://sakurity.com/jqueryxss');
If running that code in the console results in a popup / dialog box, you are vulnerable.
Patching jQuery:
The PCI Scan will ask you to upgrade your version of jQuery to >= 3.0.0. While this may be feasible for some sites, a major version upgrade of jQuery can potentially break your website (and be time consuming to fix). If you’re looking for a quick way to patch this by hand without upgrading jQuery, you can add the below code to the end of your jquery.js javascript file. This file will be in different locations depending on your Magento version. If you’re running Magento 1.x, it’s generally in the skin folder, and for Magento 2 it’s included in the vendor folder. If you’re still unsure, you will need to consult your developer or contact us now for help.
Once you’ve found the appropriate jQuery file, add this snippet of code to the end of the file:
// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432)
jQuery.ajaxPrefilter( function( s ) {
if ( s.crossDomain ) {
s.contents.script = false;
}
});
This code snippet comes from the github issue raised in response to the CVE. It’s important you place this piece of code immediately after you include jQuery, so that other scripts do not have a chance to use jQuery.
You can then run the snippet of code with the xss check:
jQuery.get('https://sakurity.com/jqueryxss');
If you’ve correctly implemented the patch, you should no longer see a popup.
Your vulnerability / PCI scan may still flag your site for this vulnerability since the version of jQuery is < 3.0.0. If that happens, you should file a dispute / false positive for this vulnerability on your PCI assessment, and link to the github issue along with a note that you’ve added the code to your jQuery library.
Need help with patching jQuery CVE-2015-9251 on your Magento site?
We’ve had a lot of experience fixing problems with Magento. If you need help, head over to the Cadence Labs contact page, or email us at [email protected]. We offer affordable rates for our Magento development services.
