"Vulnerable" version of jQuery

[khaosnmt]

A business I do work for uses Blue Iris with UI3. Recently they've had to do some PCI compliance testing. The tests fail because of what the testing company says is

vulnerable jQuery version: 1.11.3

Risk: High (3)
Port: 8888/tcp
Protocol: tcp
Threat ID: web_lib_jquery

Details: Two vulnerabilities fixed in jQuery 3.0.0
01/23/18
CVE 2015-9251
CVE 2016-10707

Is there any plan to use a newer version of jQuery or is there a way that it could be cobbled in?

[bp2008]

jQuery 3.x means losing support for some older browsers. That isn't such a big deal for UI3 since UI3 requires html5 canvas anyway, but the login.htm page also uses jQuery and has looser requirements. For example IE8 is still functional on the login page with jQuery 1.x, but with 3.x it simply won't be able to load.

I'll update to the latest on the 1.x branch (1.12.4) and maybe that will have those bugs fixed.

I do wonder why they need UI3 to pass PCI compliance in the first place though. Is it being hosted publicly under their primary domain or something? Or is the testing company just clueless about what is relevant to their testing?

[bp2008]

Also 3.x appears to have other breaking changes that affect UI3. I threw it in briefly and had a few errors preventing UI3 from loading. Not worth my time right now to fix those and exhaustively test everything again.

[bp2008]

The version 6 release (available now) uses jQuery 1.12.4. If that passes testing, then great, otherwise I suggest not publicly hosting UI3 on a domain involved with PCI compliance.

[khaosnmt]

Thanks for the fast reply on this! I was more or less curious as to whether or not it was a quick fix, and you've stated that it is not.

I noticed a slight speed increase in this release. It may or may not be placebo; I can't be sure. That change didn't pass PCI compliance testing, but I managed to get them to let me do things properly, so it's now a non-issue. That said, this can be closed. Thank you again!