Upgrade jQueryCourage to more recent than 1.12.4

[shk3bq4d]

:information_source: If you have a question, please post it on the Okta Developer Forum instead. Issues in this repository are reserved for bug reports and feature requests.

I'm submitting a

• [x] bug report
• [ ] feature request

Background info

Okta sign-in widget uses an outdated version of jQuery 1.12.4 named as global variable jQueryCourage which was EOL'ed on 2016.05.20 and suffers from CVE-2015-9251

Reference: Vendor - http://jquery.com/Advisory - https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc Advisory - https://github.com/jquery/jquery/issues/2432 Advisory - https://snyk.io/vuln/npm:jquery:20150627 CVE: CVE-2015-9251

Expected behavior

Upgrade to version 3.5.0 or later of jQuery

Steps to reproduce

Either:

• include Okta Sign-In widget
• evaluate jQueryCourage.fn.jquery it will return 1.12.4

Or see in the source code that the legacy version is still present

• https://github.com/okta/okta-signin-widget/blob/3.9/packages/@okta/courage-dist/jquery.js
• https://github.com/okta/okta-signin-widget/blob/4.2.1/packages/@okta/courage-dist/jquery.js

Your environment

• Okta Sign-In Widget Version: 4.2.1
• Browser: Chromium
• OS: Ubuntu 20.04
• Language: English

[haishengwu-okta]

We did patch those security vulnerabilities in this jquery-1.12.4. We're also working toward upgrade to latest jQuery. Stay tune.

[kevinwuhoo]

Is there a timeline when this dependency will be upgraded? It looks like CVE-2019-11358/CVE-2019-5428 was patched but there are a number of other vulnerabilities affecting this version: https://snyk.io/test/npm/jquery/1.12.4.

[swiftone]

@kevinwuhoo - Thanks for the question. Our team confirms that all vulnerabilities in that list have already been patched in our internal fork of jquery 1.12.4.

[man0a]

Hello, is there any updates on when jQuery would be updated beyond 1.12.4 for this library?

[swiftone]

@Dewar0019 - No updates. Security patches get high priority (we are not running 1.12.4, but rather a patched version) but otherwise changing that version is not a priority task.

Can you tell us a bit more about what issues the older (base) version is causing you?

[man0a]

We were getting flags for this issue with our security scanners. I think it is only looking at the version number to raise this flag. How do you determine whether not a version of v1.12.4 jQuery being used is patched (or if several patches were applied)? Should we assume that all versions using v1.12.4 of jquery is patched?

[Cbryndum]

@swiftone Since you havent changed the version ASVs still detect this as vulnerable version and will continue flag it and fail anyone doing a PCI-DSS scan. How much effort can it be to change the version in your code?

[jjbags]

Can you say when you guys patched jQuery version 1.12.4?

[stefbauer]

This is showing up in security scanners/pen testing reports as an issue. You list the fix as being on an internal fork last OCTOBER - when will this be released?

[shuowu]

Add internal ticket to get the issue prioritized.

Internal Ref: OKTA-377873

[lee-bennie]

@Dewar0019 - No updates. Security patches get high priority (we are not running 1.12.4, but rather a patched version) but otherwise changing that version is not a priority task.

Can you tell us a bit more about what issues the older (base) version is causing you?

When was 1.12.4 patched?

[jcrew99]

Hey, what is the timeline on updating the version number/s to indicate that this has been patched?

[Waseemrajashaik]

please provide an update on this issue.

[kochste]

@shuowu - Can we please get an update on this issue? Security scans are picking this up constantly and we have to justify why our IDP is using an outdated javascript library. Since you are running a patched version, it might be helpful to provide a periodical update on what was patched. Thanks!

[jaredperreault-okta]

@kochste The most recent major version of SIW (v7) includes jQuery 3.6 (https://github.com/okta/okta-signin-widget/blob/master/packages/%40okta/courage-dist/package.json#L9)

[Choo57]

hello, just wanted to check if there is any progress on this. jQuery 1.12.4 has been picked up during a pen test for us as well, we understand it has been patched but will be great to see this updated...