Hello,

I think jquery versions should be patched following this release: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Patches seem quite straightforward to apply: https://github.com/DanielRuf/snyk-js-jquery-174006

CommentFileSizeAuthor
#6 Screen Shot 2019-07-29 at 11.39.51 PM.png174.71 KBcoffeedevgirl
#6 Screen Shot 2019-07-29 at 11.39.59 PM.png189.94 KBcoffeedevgirl
#3 image.png42.75 KBNixou
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dolu created an issue. See original summary.

Ludo.R’s picture

Ludo.R
Location Brussels
CreditAttribution: Ludo.R commented

I guess if you're using Drupal core 7.66+, it's not needed.

Nixou’s picture

Nixou CreditAttribution: Nixou at Actency commented
FileSize
image.png42.75 KB

I think the patch is needed even if you are on 7.66 because the jquery file used will not be the one of the core (which is fixed).

All jquery files included in this module are not patched so they will remain vulnerable.

See also attach screenshot.

Ludo.R’s picture

Ludo.R
Location Brussels
CreditAttribution: Ludo.R commented

@Nixou,

That's what I thought initially, but using Drupal 7.66 will fix the vulnerability.
There's a new file that will override jquery's extend() function.

See: https://git.drupalcode.org/project/drupal/commit/39e2971

* This provides the Object.prototype pollution vulnerability fix to Drupal
* installations running older jQuery versions, including the versions shipped
* with Drupal core and https://www.drupal.org/project/jquery_update.

The patch is still needed for people that are not upgrading to 7.66

solideogloria’s picture

solideogloria CreditAttribution: solideogloria commented

That was literally the only fix in 7.66, so even if they don't upgrade to 7.66, they can cherry-pick the fix into their codebase.

coffeedevgirl’s picture

coffeedevgirl CreditAttribution: coffeedevgirl commented
FileSize
Screen Shot 2019-07-29 at 11.39.59 PM.png189.94 KB
Screen Shot 2019-07-29 at 11.39.51 PM.png174.71 KB

Hello, I have an issue related to jQuery 3.4.0, I did the update to Drupal core 7.67 and now I have issues with all the js files with issues like :
Uncaught TypeError: $ is not a function
Uncaught TypeError: $form.once is not a function
My question is basically if I need to apply this patch even if I did the update to 7.67? I tried different changes in the code without success until now, and specifically, I have so many issues with the module Views Conditional 7.x-1.3 at the moment to try to open the pop up's. Any help?

solideogloria’s picture

solideogloria CreditAttribution: solideogloria commented

Is all of your JS wrapped in functions like this:

(function ($) { ... })(jQuery);

coffeedevgirl’s picture

coffeedevgirl CreditAttribution: coffeedevgirl commented

yes, actually all my scripts are wrapped, the issue started after to include the jquery-3-4-0-released :(

mcdruid’s picture

mcdruid
Location 🇬🇧🇪🇺
CreditAttribution: mcdruid at Acquia commented
Status: Active » Closed (outdated)

See #3312045: Plan for jQuery Update 7.x-4.0 release.