Retire.js is a free open source scanner for detecting the use of JavaScript libraries with known vulnerabilities.
Links to get a better insight:
Alert | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
When we update a library and we use the minified version we need to
Here is an interesting link about possible JavaScript source maps errors: https://developer.mozilla.org/en-US/docs/Tools/Debugger/Source_map_errors |
Following are the efforts put to fix vulnerabilities detected using retire.js:
Scan Date | Ticket | Affected Version | Vulnerabilities | Fix Date | Fixed Release | Fixes | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
18-March-2017 |
| Trunk | CVE-2015-9251 | 20-November-2017 | 17.12.01 | jQuery upgraded from jQuery 1.11.0 to jQuery 3.2.1 | ||||||||||
06-June-2019 |
| 16.11.05 | 18-June-2019 | 16.11.06 | jQuery upgraded from jQuery 1.11.0 to jQuery 3.4.1 | |||||||||||
06-June-2019 |
| 17.12.01, 18.12.01, Trunk | 27-July-2019 | 17.12.01, 18.12.01 | For CVE-2018-14041 Bootstrap upgraded to 4.3 For CVE-2019-11358 jQuery upgraded from jQuery 3.2.1 to jQuery 3.4.1 | |||||||||||
29-May-2020 |
| 17.12.01, 18.12.01, Trunk | Severity:medium Summary: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS;https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ | 16-June-2020 12-June-2020 | 17.12.04 18.12.01 | jQuery upgraded from jQuery 3.4.1 to jQuery 3.5.1 |
I (Jacques Le Roux) just (2015-12-08) used retire.js on trunk HEAD (r1716917) and got these results:
framework\images\webapp\images\jquery\jquery-migrate-1.2.1.js has known vulnerabilities: severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/
specialpurpose\solr\webapp\solr\js\require.js has known vulnerabilities: severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/
specialpurpose\birt\webapp\birt\webcontent\birt\ajax\lib\prototype.js has known vulnerabilities: severity: high; CVE: CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
...