OpenCart Community

I'm creating a site and the company have run a security audit and have come back with the following:

The web application uses the following outdated JavaScript library: Bootstrap 3.3.5
and
The web application uses the following outdated JavaScript library: jQuery 2.1.1

They have asked me to update the affected JavaScript libraries to the latest version.

I know this is currently being worked on in the master branch. Is this something that is possible with OC3 though?

kanector wrote: ↑

Mon Jul 05, 2021 8:53 pm

I'm creating a site and the company have run a security audit and have come back with the following:

The web application uses the following outdated JavaScript library: Bootstrap 3.3.5
and
The web application uses the following outdated JavaScript library: jQuery 2.1.1

They have asked me to update the affected JavaScript libraries to the latest version.

I know this is currently being worked on in the master branch. Is this something that is possible with OC3 though?

OC version. However, OC v3.0.3.7 works fine on that side.

Thanks Straightlight for your quick reply.

The version is 3.0.3.1. I opted for that version initially because I know it runs ok with PHP 5.x which they were using for compatibility on an existing old e-commerce platform that they were replacing.

I had a look at the latest stable version of 3.0.3.7 but that seems to be using the same versions of jQuery (2.1.1) and Bootstrap (3.3.5).

These are the 'impacts' of using the older libraries:

This library is vulnerable to cross-site scripting (XSS) attacks, which allow an attacker to execute arbitrary JavaScript code in the context of other users.

Affected path: /bootstrap.min.js

Further information:

CVE-2016-10735:In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

CVE-2019-8331: XSS in data-template, data-content and data-title properties of tooltip/popover

CVE-2018-14041: XSS in data-target property of scrollspy
CVE-2018-14040: XSS in collapse data-parent attribute
CVE-2018-14042: XSS in data-container property of tooltip

Please refer following resources for more details:

https://nvd.nist.gov/vuln/detail/CVE-2016-10735
https://blog.getbootstrap.com/2018/12/1 ... rap-3-4-0/
https://github.com/twbs/bootstrap/issues/20184

And for jQuery:

This library is vulnerable to cross-site scripting (XSS) attacks, which allow an attacker to execute arbitrary JavaScript code in the context of other users.

This libarary is vulnerable to Prototype Pollution attacks. The extend function can be tricked into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects.

Affected path: /jquery-2.1.1.min.js

Further information:

CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432).

CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2020-11022: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
CVE-2020-11023: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Please refer following resources for more details:

https://nvd.nist.gov/vuln/detail/CVE-2015-9251
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://blog.getbootstrap.com/2018/12/1 ... rap-3-4-0/
https://github.com/jquery/jquery/issues/2432

This may be useful for Bootstrap. viewtopic.php?f=202&t=224222

For jQuery look at the upgrade guides and use jQuery Migrate. https://jquery.com/upgrade-guide/

From what I could see OpenCart didn't use them in a way which could be exploited, but that doesn't mean themes and extensions don't.

Using jquery-3.6.0.min.js, and Bootstrap v3.3.5 should hopefully solve these issues without breaking backward compatibility.

Thanks ADD for the reply.

I have updated the bootstrap files to the latest in the branch at 3.4.1 and that now passes the security tests for that section. I also made the edits recommended regarding the popover changes and that is working fine also.

With the jQuery update, the vulnerability was to do with prototype pollution attacks. Is that something that would be possible through OC?
Thanks for your help.

Updated to jQuery 3.6.0 and changed all references to the older 2.1.1 and it's working great and passing both of the security scans.

Thanks for all your help!

Can you explain how you updated the files in detail?