Hello,
For ASPX.NET AJAX... JQuery 1.x branch is still being utilized / embedded (even though some of the bigger issues have been manually changed by your Progress Team) does not cut it with our client base. JQuery Branch 1.x is not acceptable and has been a Severe security item for ALL PEN testing solutions for some time.
What are the Progress plans to get jQuery up to SPEC (3.7.x... etc.). We have no interest in over-riding the version of jQuery as is noted in some of the forums. This creates other issues at the Telerik component level... we do not want to deal with component issues as that is why we procure 3rd party Components in the first place.
"Security is paramount over functionality in most web applications today."
This is major, as we would have to move on to other technologies if your roadmap does not meet our needs. Q1 2025 at min.
I am certain many other users are in the same boat.
Kind Regards
Hi Trent,
Thank you for your inquiry regarding the security of jQuery within Telerik UI for ASP.NET AJAX. We recognize the critical importance of maintaining a secure environment for your applications and appreciate the opportunity to address your concerns.
In response to your feature request about updating jQuery to the 3.7.x branch, we understand that the continued use of the jQuery 1.x branch, even with security patches, may not meet the stringent requirements of your client base and PEN testing standards. We are aware of the challenges and security implications associated with this older version and the potential impact on your decision to continue using our components.
Please see below for a detailed explanation of our current mitigation efforts and options available to you.
To ensure the highest level of security, Telerik Web UI versions after R1 2019, up to and including R1 2024 (version 2024.1.131), utilize a customized version of jQuery (1.12.4). This adaptation, necessary due to constraints with the Microsoft AJAX framework in ASP.NET Web Forms, includes backport fixes that effectively mitigate known vulnerabilities in the original jQuery 1.12.4.
We have addressed several critical vulnerabilities (actually all known vulnerabilities in version 1.12.4) as per CVE reports, enhancing the security of the custom jQuery script within the Telerik.Web.UI assembly:
We have published here detailed evidence and comparison analysis, highlighting the fixes and security enhancements in our custom jQuery version versus the official jQuery releases. This includes specific adjustments to address Cross-Site Scripting and Parameter Pollution vulnerabilities.
For those looking to employ a newer jQuery version, it’s possible to configure Telerik Ajax controls to utilize an external jQuery library. This allows for full control over the jQuery version used, facilitating the replacement of the embedded jQuery library with your preferred version. Instructions for implementing an external jQuery are detailed in our documentation, emphasizing the need for thorough testing in areas such as JavaScript errors, UI component functionality, and AJAX request handling.
While we have not transitioned to jQuery 3.x for broad cross-browser support considerations, this option remains viable, particularly if Firefox compatibility is not a primary concern for your user base. We encourage sharing your experiences and outcomes if you decide to upgrade, as this feedback is invaluable both for our continuous improvement and for assisting our user community.
For a comprehensive overview, including screenshots and further details, please refer to our Knowledge Base article: Security - Resolving jQuery Vulnerabilities.
The jQuery library introduces a breaking change in version 3.0 and uses strict mode via a use strict directive. As explained in the documentation, the strict mode sets limits, such as accessing the caller of a function or using eval(). Such limitations affect the MS AJAX client framework of ASP.NET Web Forms framework where the __doPostBack() method recursively accesses the callers. To address this, security patches have been applied to jQuery 1.12.4 as explained in detail in the Security - Resolving jQuery Vulnerabilities article.
If sticking to this version is undesirable, alternatives include using an external jQuery 3.x or switching to suites like Telerik UI for ASP.NET MVC based on ASP.NET MVC, which supports jQuery 3.7.
Let me know if you have any other questions. I will be glad to assist you.
Regards,
Rumen
Progress Telerik