Critical vulnerability in jQuery exposes millions of websites

Cybersecurity specialist reports mention that jQuery, the popular JavaScript library, has been compromised by an unusual prototype pollution vulnerability that could allow threat actors to modify a Javascript object prototype.

It is estimated that the impact of this problem could be serious, considering that this library is currently used by more than 70% of the functional websites; most sites still use the 1.x and 2.x versions of the library, making them vulnerable to this flaw.

Recently an update patch was released to correct this flaw, three years after the last security update this library received, the cybersecurity experts mention.

Specialists mention that JavaScript objects are like variables that can store multiple values according to a default structure. As for the prototypes, these are used to define a structure in the JavaScript object.

According to experts from the International Institute of Cyber Security (IICS), if a malicious user is able to modify a JavaScript object prototype, it can cause an application to crash and modify its operation in case of not receiving the expected values. Due to the extensive use of JavaScript, exploiting this vulnerability in a prototype could cause serious problems in several web applications.

Cybersecurity experts have shown that exploiting the vulnerability (identified as CVE-2019-11358) can assign themselves administrator privileges in a web application that uses the jQuery library code.

The specialists pointed out that this vulnerability of prototype pollution is not functional for its massive exploitation, because the code of the exploit must be especially crafted for each individual JavaScript object, so at least not everything is bad news.

In addition, experts recommend that web developers working with this library update as soon as possible to the latest version of jQuery (v 3.4.0). According to the reports, the most recent version of the library includes corrections for some undesirable functions during the library use; technical details about each of these fixes can be found in the official jQuery developers’ blog.