HOT LINE 1654

Alerts

Vulnerability in the jQuery library

24 Apr 2019

An object prototype pollution vulnerability (CVE-2019-11358) in the jQuery, a JavaScript library, was discovered by researchers.

JavaScript object is like a variable that can be used to store multiple values based on a predefined structure. A prototype is used to define an object’s default structure and default values; it is essential to specify an expected structure particularly when no value is set.

This vulnerability enables an attacker to modify a web application's JavaScript object prototype. However, each exploitation must be fine-tuned individually for the specific target, hence requiring the attacker to have in-depth knowledge on how each web application works.

Impact

Successful exploitation of the vulnerability could result in the web application crashing or altering its behaviour if it does not receive the expected values consequently impacting the rest of the data processed by the application. It also enables the attacker to launch other attacks such as a denial of service or code execution.

Affected Versions

jQuery versions prior to v3.4.0 are affected.

Recommendation

Web developers are advised to update their application to the latest jQuery version at https://jquery.com/download/.