Tagged: ,

Viewing 23 posts - 1 through 23 (of 23 total)
  • Author
    Posts
  • #1046578

    Results from a security scan on our Enfold site returned security vulnerability issues related to the version of jquery being used by Enfold.

    Is there a way to remove jquery version 1.12.4 and replace it with jquery version 3.0 or higher?

    Here are the results from the scan:
    Details:
    jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432).
    Solution: jQuery version 3.0.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates.
    ———————————————-
    In jQuery versions on or above 1.12.2 and below 2.2.0 $.parseHTML has (lots of) XSS. In these versions parseHTML() executes scripts in event handlers. Please refer following resource for more details: https://bugs.jquery.com/ticket/11974, http://research.insecurelabs.org/jquery/test/

    #1048041

    Hey galpinr,

    You could try to deregister the jquery included in the theme using this:

    function my_scripts_method() {
      wp_deregister_script( 'jquery' );
    }
    add_action('wp_enqueue_scripts', 'my_scripts_method');

    Then enqueue your own file. You run a very big risk of breaking a lot of theme functionality if you do this though.

    Best regards,
    Rikard

    #1092507

    We have a question regarding this as well – Is there any sort of a plan to update Enfold to the latest version of jQuery? This severely limits the theme in general, when I use a plugin called jQuery Updater it breaks the functionality of the Nav on the website, as well as a few other things.

    #1092805

    Hi bigbadjohn,

    Why do you need to update jQuery in the theme?

    Best regards,
    Rikard

    #1093437

    Hey Rikard,

    I don’t think it’s entirely necessary to update jQuery at this point. I’m just used to working with the latest version, and noticed that when I loaded in the latest version many things broke.

    More so for my familiarity, I didn’t learn jQuery until it was in version 3.

    Again, not entirely necessary – I was just curious.

    #1093583

    Hi bigbadjohn,

    Thanks for the update, like you say there is a great chance of things breaking in the theme if you update jQuery, so it’s not really advisable.

    Best regards,
    Rikard

    #1093681

    It’s a security issue.

    OP: “Results from a security scan on our Enfold site returned security vulnerability issues related to the version of jquery being used by Enfold.”

    #1094769

    Hi,

    What are those issues, can you please ask them to list us the issues?
    Because with a quick search there is no open vulnerability

    Best regards,
    Basilis

    #1094785

    My original post has the details returned by the security scan that explain the issues.

    #1095623

    Hi,

    We have forward the ticket to our developers.

    Best regards,
    Basilis

    #1096549

    Same here, please update.
    I see same security risk and Chrome gives users a warning, which makes the investment to SSL certificate less value.
    The warning even when risk is not big, gives a low trust user experience.
    I do understand it is a wider issue with WordPress.
    It would be good if the theme menu doesnt break when updating WordPress to Jquery 3+

    #1096770

    Hi,

    The theme is not including a custom version of jQuery, we are using the default WordPress one. https://wordpress.org/support/topic/why-wordpress-only-use-old-jquery-version-is-1-12-4/

    Best regards,
    Rikard

    #1096944

    Hello, yes I have noticed.

    I first tried to upgrade WordPress to use the newest jQuery 3 with a plugin https://wordpress.org/plugins/jquery-updater/
    but that broke my Enfold menu. Removed that now.

    I found out what triggered to warning and old jQuery loading.
    I used your new feature to upload my own Font and load them.
    This triggered an old jQuery library, triggered the warning in Chrome browser and slow down the website.

    I removed the Fonts and deactivated the jQuery migrate. Everything still works and no more warning from Chrome.
    I found the performance option where I can deactivate jQuery migrate.
    Maybe you can add an option to deactivate the old jQuery library and turn on a hook to the newest jQuery3?

    #1097003

    Using Jquery Updater has worked for us with one exception that I am hoping I can get help with…

    We have the Search icon at the end of our main menu. The design, when working, is that clicking the Search Icon displays the Search form and search text input field for use. With Jquery Updater the Search form and search text field do not display on click of the Search icon.

    When working, the implementation goes like this: The style of the DIV that holds the search form and field by default set to display: none; opacity: 0; when you click the Search icon that DIV style is changed to display: block; opacity: 1;
    The DIV involved here is:
    <div class="avia-search-tooltip avia-tt" style="top: 28.7344px; left: 738.109px; display: none; opacity: 0;">
    On click of the Search Icon gets changed to:
    <div class="avia-search-tooltip avia-tt" style="top: 28.7344px; left: 738.109px; display: block; opacity: 1;">
    Jquery updater breaks this.
    Is there a way to fix this in functions.php? Or some other way?

    • This reply was modified 5 years, 7 months ago by galpinr.
    #1097562

    Hi,

    Thanks for the update.

    Where can we see the issue? Please provide the site url in the private field so that we can inspect it. Do you see any errors in the browser console?

    Best regards,
    Ismael

    #1097704

    I see no errors in the console. Thanks
    Link sent in the private field.

    #1097937

    Hi,

    Thanks for the update.

    The opacity is not adjusting properly on click but I’m not sure why. You can add this css code to fix that issue temporarily.

    .avia-search-tooltip.avia-tt {
        opacity: 1 !important;
    }

    Are there any other issue that you notice aside from this?

    Best regards,
    Ismael

    #1098098

    Thank you – that fixed it.
    This is the only issue we have seen resulting from using Jquery updater to update the WordPress core javascript to 3.x.

    The security scans still pickup that Enfold is using the older jquery versions that have been identified as a security risk. Hoping we can find a way to resolve that. But thank you for this Search button fix – that is a great help!

    #1099589

    Hi,

    We are loading the Jquery version that WordPress is loading.
    We have confirmed this with our developers so for any issue – please check the WordPress core.

    Best regards,
    Basilis

    #1116742

    Adding a note to this conversation as I get the security risk message on the Chrome Lighthouse report as well – so hoping to get updated on this topic.

    Cheers,

    Havi

    #1116945

    Hi Havi,

    We are still using the default WordPress jQuery version, so there’s nothing new really.

    Best regards,
    Rikard

    #1256876

    Hi, I get message “The following are deprecations logged from the front-end of your site, or while the deprecation box was disabled.”
    /wp-content/themes/enfold/js/avia.js: jQuery.browser is deprecated

    How can I reliably fix it?

    Thank you

    #1257410

    Hi inforexx,

    Please open a new thread and include WordPress admin login details in private so that we can have a closer look at your site.

    Best regards,
    Rikard

Viewing 23 posts - 1 through 23 (of 23 total)
  • You must be logged in to reply to this topic.