-
AuthorPosts
-
December 17, 2018 at 10:43 pm #1046578
Results from a security scan on our Enfold site returned security vulnerability issues related to the version of jquery being used by Enfold.
Is there a way to remove jquery version 1.12.4 and replace it with jquery version 3.0 or higher?
Here are the results from the scan:
Details:
jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432).
Solution: jQuery version 3.0.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates.
———————————————-
In jQuery versions on or above 1.12.2 and below 2.2.0 $.parseHTML has (lots of) XSS. In these versions parseHTML() executes scripts in event handlers. Please refer following resource for more details: https://bugs.jquery.com/ticket/11974, http://research.insecurelabs.org/jquery/test/December 21, 2018 at 5:52 am #1048041Hey galpinr,
You could try to deregister the jquery included in the theme using this:
function my_scripts_method() { wp_deregister_script( 'jquery' ); } add_action('wp_enqueue_scripts', 'my_scripts_method');
Then enqueue your own file. You run a very big risk of breaking a lot of theme functionality if you do this though.
Best regards,
RikardApril 18, 2019 at 10:35 pm #1092507We have a question regarding this as well – Is there any sort of a plan to update Enfold to the latest version of jQuery? This severely limits the theme in general, when I use a plugin called jQuery Updater it breaks the functionality of the Nav on the website, as well as a few other things.
April 20, 2019 at 5:21 am #1092805April 22, 2019 at 11:29 pm #1093437Hey Rikard,
I don’t think it’s entirely necessary to update jQuery at this point. I’m just used to working with the latest version, and noticed that when I loaded in the latest version many things broke.
More so for my familiarity, I didn’t learn jQuery until it was in version 3.
Again, not entirely necessary – I was just curious.
April 23, 2019 at 9:19 am #1093583Hi bigbadjohn,
Thanks for the update, like you say there is a great chance of things breaking in the theme if you update jQuery, so it’s not really advisable.
Best regards,
RikardApril 23, 2019 at 3:37 pm #1093681It’s a security issue.
OP: “Results from a security scan on our Enfold site returned security vulnerability issues related to the version of jquery being used by Enfold.”
April 26, 2019 at 4:52 pm #1094769Hi,
What are those issues, can you please ask them to list us the issues?
Because with a quick search there is no open vulnerabilityBest regards,
BasilisApril 26, 2019 at 5:20 pm #1094785My original post has the details returned by the security scan that explain the issues.
April 30, 2019 at 7:34 am #1095623Hi,
We have forward the ticket to our developers.
Best regards,
BasilisMay 2, 2019 at 6:18 pm #1096549Same here, please update.
I see same security risk and Chrome gives users a warning, which makes the investment to SSL certificate less value.
The warning even when risk is not big, gives a low trust user experience.
I do understand it is a wider issue with WordPress.
It would be good if the theme menu doesnt break when updating WordPress to Jquery 3+May 3, 2019 at 7:57 am #1096770Hi,
The theme is not including a custom version of jQuery, we are using the default WordPress one. https://wordpress.org/support/topic/why-wordpress-only-use-old-jquery-version-is-1-12-4/
Best regards,
RikardMay 3, 2019 at 5:29 pm #1096944Hello, yes I have noticed.
I first tried to upgrade WordPress to use the newest jQuery 3 with a plugin https://wordpress.org/plugins/jquery-updater/
but that broke my Enfold menu. Removed that now.I found out what triggered to warning and old jQuery loading.
I used your new feature to upload my own Font and load them.
This triggered an old jQuery library, triggered the warning in Chrome browser and slow down the website.I removed the Fonts and deactivated the jQuery migrate. Everything still works and no more warning from Chrome.
I found the performance option where I can deactivate jQuery migrate.
Maybe you can add an option to deactivate the old jQuery library and turn on a hook to the newest jQuery3?May 3, 2019 at 7:50 pm #1097003Using Jquery Updater has worked for us with one exception that I am hoping I can get help with…
We have the Search icon at the end of our main menu. The design, when working, is that clicking the Search Icon displays the Search form and search text input field for use. With Jquery Updater the Search form and search text field do not display on click of the Search icon.
When working, the implementation goes like this: The style of the DIV that holds the search form and field by default set to
display: none; opacity: 0;
when you click the Search icon that DIV style is changed todisplay: block; opacity: 1;
The DIV involved here is:
<div class="avia-search-tooltip avia-tt" style="top: 28.7344px; left: 738.109px; display: none; opacity: 0;">
On click of the Search Icon gets changed to:
<div class="avia-search-tooltip avia-tt" style="top: 28.7344px; left: 738.109px; display: block; opacity: 1;">
Jquery updater breaks this.
Is there a way to fix this in functions.php? Or some other way?- This reply was modified 5 years, 7 months ago by galpinr.
May 6, 2019 at 5:08 am #1097562Hi,
Thanks for the update.
Where can we see the issue? Please provide the site url in the private field so that we can inspect it. Do you see any errors in the browser console?
Best regards,
IsmaelMay 6, 2019 at 3:14 pm #1097704I see no errors in the console. Thanks
Link sent in the private field.May 7, 2019 at 5:39 am #1097937Hi,
Thanks for the update.
The opacity is not adjusting properly on click but I’m not sure why. You can add this css code to fix that issue temporarily.
.avia-search-tooltip.avia-tt { opacity: 1 !important; }
Are there any other issue that you notice aside from this?
Best regards,
IsmaelMay 7, 2019 at 3:29 pm #1098098Thank you – that fixed it.
This is the only issue we have seen resulting from using Jquery updater to update the WordPress core javascript to 3.x.The security scans still pickup that Enfold is using the older jquery versions that have been identified as a security risk. Hoping we can find a way to resolve that. But thank you for this Search button fix – that is a great help!
May 11, 2019 at 5:15 pm #1099589Hi,
We are loading the Jquery version that WordPress is loading.
We have confirmed this with our developers so for any issue – please check the WordPress core.Best regards,
BasilisJuly 8, 2019 at 6:19 pm #1116742Adding a note to this conversation as I get the security risk message on the Chrome Lighthouse report as well – so hoping to get updated on this topic.
Cheers,
Havi
July 9, 2019 at 8:06 am #1116945Hi Havi,
We are still using the default WordPress jQuery version, so there’s nothing new really.
Best regards,
RikardOctober 29, 2020 at 9:27 pm #1256876Hi, I get message “The following are deprecations logged from the front-end of your site, or while the deprecation box was disabled.”
/wp-content/themes/enfold/js/avia.js: jQuery.browser is deprecatedHow can I reliably fix it?
Thank you
November 1, 2020 at 8:30 am #1257410Hi inforexx,
Please open a new thread and include WordPress admin login details in private so that we can have a closer look at your site.
Best regards,
Rikard -
AuthorPosts
- You must be logged in to reply to this topic.