Hi Trent,

Thank you for your inquiry regarding the security of jQuery within Telerik UI for ASP.NET AJAX. We recognize the critical importance of maintaining a secure environment for your applications and appreciate the opportunity to address your concerns.

In response to your feature request about updating jQuery to the 3.7.x branch, we understand that the continued use of the jQuery 1.x branch, even with security patches, may not meet the stringent requirements of your client base and PEN testing standards. We are aware of the challenges and security implications associated with this older version and the potential impact on your decision to continue using our components.

Please see below for a detailed explanation of our current mitigation efforts and options available to you.

To ensure the highest level of security, Telerik Web UI versions after R1 2019, up to and including R1 2024 (version 2024.1.131), utilize a customized version of jQuery (1.12.4). This adaptation, necessary due to constraints with the Microsoft AJAX framework in ASP.NET Web Forms, includes backport fixes that effectively mitigate known vulnerabilities in the original jQuery 1.12.4.

CVE Mitigation Efforts:

We have addressed several critical vulnerabilities (actually all known vulnerabilities in version 1.12.4) as per CVE reports, enhancing the security of the custom jQuery script within the Telerik.Web.UI assembly:

• CVE-2015-9251: Mitigation of XSS attacks in cross-domain Ajax requests, corrected from version R1 2019.
• CVE-2019-11358: Resolution of Object.prototype pollution, secured from version R1 2019.
• CVE-2020-11022 & CVE-2020-11023: Fixes for XSS vulnerabilities introduced in jQuery 3.5, applied from version R2 2020.
• CVE-2020-23064: Not applicable to our custom jQuery version, as it addresses issues present in jQuery 2.2.0 through 3.x before 3.5.0.

Evidence of Mitigation and Further Instructions:

We have published here detailed evidence and comparison analysis, highlighting the fixes and security enhancements in our custom jQuery version versus the official jQuery releases. This includes specific adjustments to address Cross-Site Scripting and Parameter Pollution vulnerabilities.

For those looking to employ a newer jQuery version, it’s possible to configure Telerik Ajax controls to utilize an external jQuery library. This allows for full control over the jQuery version used, facilitating the replacement of the embedded jQuery library with your preferred version. Instructions for implementing an external jQuery are detailed in our documentation, emphasizing the need for thorough testing in areas such as JavaScript errors, UI component functionality, and AJAX request handling.

Considering Browser Compatibility:

While we have not transitioned to jQuery 3.x for broad cross-browser support considerations, this option remains viable, particularly if Firefox compatibility is not a primary concern for your user base. We encourage sharing your experiences and outcomes if you decide to upgrade, as this feedback is invaluable both for our continuous improvement and for assisting our user community.

For a comprehensive overview, including screenshots and further details, please refer to our Knowledge Base article: Security - Resolving jQuery Vulnerabilities.

Summary

The jQuery library introduces a breaking change in version 3.0 and uses strict mode via a use strict directive. As explained in the documentation, the strict mode sets limits, such as accessing the caller of a function or using eval(). Such limitations affect the MS AJAX client framework of ASP.NET Web Forms framework where the __doPostBack() method recursively accesses the callers. To address this, security patches have been applied to jQuery 1.12.4 as explained in detail in the Security - Resolving jQuery Vulnerabilities article.

If sticking to this version is undesirable, alternatives include using an external jQuery 3.x or switching to suites like Telerik UI for ASP.NET MVC based on ASP.NET MVC, which supports jQuery 3.7.

Let me know if you have any other questions. I will be glad to assist you.

Regards,
Rumen
Progress Telerik