Thanks Straightlight for your quick reply.
The version is 3.0.3.1. I opted for that version initially because I know it runs ok with PHP 5.x which they were using for compatibility on an existing old e-commerce platform that they were replacing.
I had a look at the latest stable version of 3.0.3.7 but that seems to be using the same versions of jQuery (2.1.1) and Bootstrap (3.3.5).
These are the 'impacts' of using the older libraries:
This library is vulnerable to cross-site scripting (XSS) attacks, which allow an attacker to execute arbitrary JavaScript code in the context of other users.
Affected path: /bootstrap.min.js
Further information:
CVE-2016-10735:In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CVE-2019-8331: XSS in data-template, data-content and data-title properties of tooltip/popover
CVE-2018-14041: XSS in data-target property of scrollspy
CVE-2018-14040: XSS in collapse data-parent attribute
CVE-2018-14042: XSS in data-container property of tooltip
Please refer following resources for more details:
https://nvd.nist.gov/vuln/detail/CVE-2016-10735
https://blog.getbootstrap.com/2018/12/1 ... rap-3-4-0/
https://github.com/twbs/bootstrap/issues/20184
And for jQuery:
This library is vulnerable to cross-site scripting (XSS) attacks, which allow an attacker to execute arbitrary JavaScript code in the context of other users.
This libarary is vulnerable to Prototype Pollution attacks. The extend function can be tricked into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects.
Affected path: /jquery-2.1.1.min.js
Further information:
CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (
https://github.com/jquery/jquery/issues/2432).
CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2020-11022: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11023: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Please refer following resources for more details:
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://blog.getbootstrap.com/2018/12/1 ... rap-3-4-0/
https://github.com/jquery/jquery/issues/2432