lokesh
commented
1 year ago Resolved in v2.11.4: https://github.com/lokesh/lightbox2/releases/tag/v2.11.4
Closed a-h closed 1 year ago
lokesh
commented
1 year ago Resolved in v2.11.4: https://github.com/lokesh/lightbox2/releases/tag/v2.11.4
Lightbox2 version 2.11.3 uses JQuery 3.4.1 which has two XSS vulnerabilities:
https://snyk.io/test/npm/jquery/3.4.1
This means that the https://github.com/lokesh/lightbox2/blob/dev/dist/js/lightbox-plus-jquery.min.js file contains the outdated library.
As a workaround, I downloaded the solution and used bower to pull in the latest JQuery, and hosted it myself instead of using the CDN.
No code changes are required, just putting out a new build that uses JQuery 3.6.0 would sort it.