-
Posts
-
Results from a security scan on our Enfold site returned security vulnerability issues related to the version of jquery being used by Enfold.
Is there a way to remove jquery version 1.12.4 and replace it with jquery version 3.0 or higher?
Here are the results from the scan:
Details:
jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432).
Solution: jQuery version 3.0.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates.
———————————————-
In jQuery versions on or above 1.12.2 and below 2.2.0 $.parseHTML has (lots of) XSS. In these versions parseHTML() executes scripts in event handlers. Please refer following resource for more details: https://bugs.jquery.com/ticket/11974, http://research.insecurelabs.org/jquery/test/Hey galpinr,
You could try to deregister the jquery included in the theme using this:
function my_scripts_method() { wp_deregister_script( 'jquery' ); } add_action('wp_enqueue_scripts', 'my_scripts_method');Then enqueue your own file. You run a very big risk of breaking a lot of theme functionality if you do this though.
Best regards,
RikardWe have a question regarding this as well – Is there any sort of a plan to update Enfold to the latest version of jQuery? This severely limits the theme in general, when I use a plugin called jQuery Updater it breaks the functionality of the Nav on the website, as well as a few other things.
Hey Rikard,
I don’t think it’s entirely necessary to update jQuery at this point. I’m just used to working with the latest version, and noticed that when I loaded in the latest version many things broke.
More so for my familiarity, I didn’t learn jQuery until it was in version 3.
Again, not entirely necessary – I was just curious.
Hi bigbadjohn,
Thanks for the update, like you say there is a great chance of things breaking in the theme if you update jQuery, so it’s not really advisable.
Best regards,
RikardIt’s a security issue.
OP: “Results from a security scan on our Enfold site returned security vulnerability issues related to the version of jquery being used by Enfold.”
Hi,
What are those issues, can you please ask them to list us the issues?
Because with a quick search there is no open vulnerabilityBest regards,
BasilisSame here, please update.
I see same security risk and Chrome gives users a warning, which makes the investment to SSL certificate less value.
The warning even when risk is not big, gives a low trust user experience.
I do understand it is a wider issue with WordPress.
It would be good if the theme menu doesnt break when updating WordPress to Jquery 3+Hi,
The theme is not including a custom version of jQuery, we are using the default WordPress one. https://wordpress.org/support/topic/why-wordpress-only-use-old-jquery-version-is-1-12-4/
Best regards,
RikardHello, yes I have noticed.
I first tried to upgrade WordPress to use the newest jQuery 3 with a plugin https://wordpress.org/plugins/jquery-updater/
but that broke my Enfold menu. Removed that now.I found out what triggered to warning and old jQuery loading.
I used your new feature to upload my own Font and load them.
This triggered an old jQuery library, triggered the warning in Chrome browser and slow down the website.I removed the Fonts and deactivated the jQuery migrate. Everything still works and no more warning from Chrome.
I found the performance option where I can deactivate jQuery migrate.
Maybe you can add an option to deactivate the old jQuery library and turn on a hook to the newest jQuery3?Using Jquery Updater has worked for us with one exception that I am hoping I can get help with…
We have the Search icon at the end of our main menu. The design, when working, is that clicking the Search Icon displays the Search form and search text input field for use. With Jquery Updater the Search form and search text field do not display on click of the Search icon.
When working, the implementation goes like this: The style of the DIV that holds the search form and field by default set to
display: none; opacity: 0;when you click the Search icon that DIV style is changed todisplay: block; opacity: 1;
The DIV involved here is:
<div class="avia-search-tooltip avia-tt" style="top: 28.7344px; left: 738.109px; display: none; opacity: 0;">
On click of the Search Icon gets changed to:
<div class="avia-search-tooltip avia-tt" style="top: 28.7344px; left: 738.109px; display: block; opacity: 1;">
Jquery updater breaks this.
Is there a way to fix this in functions.php? Or some other way?Hi,
Thanks for the update.
Where can we see the issue? Please provide the site url in the private field so that we can inspect it. Do you see any errors in the browser console?
Best regards,
IsmaelHi,
Thanks for the update.
The opacity is not adjusting properly on click but I’m not sure why. You can add this css code to fix that issue temporarily.
.avia-search-tooltip.avia-tt { opacity: 1 !important; }Are there any other issue that you notice aside from this?
Best regards,
IsmaelThank you – that fixed it.
This is the only issue we have seen resulting from using Jquery updater to update the WordPress core javascript to 3.x.The security scans still pickup that Enfold is using the older jquery versions that have been identified as a security risk. Hoping we can find a way to resolve that. But thank you for this Search button fix – that is a great help!
Hi,
We are loading the Jquery version that WordPress is loading.
We have confirmed this with our developers so for any issue – please check the WordPress core.Best regards,
BasilisAdding a note to this conversation as I get the security risk message on the Chrome Lighthouse report as well – so hoping to get updated on this topic.
Cheers,
Havi
Hi Havi,
We are still using the default WordPress jQuery version, so there’s nothing new really.
Best regards,
RikardHi, I get message “The following are deprecations logged from the front-end of your site, or while the deprecation box was disabled.”
/wp-content/themes/enfold/js/avia.js: jQuery.browser is deprecatedHow can I reliably fix it?
Thank you
Hi inforexx,
Please open a new thread and include WordPress admin login details in private so that we can have a closer look at your site.
Best regards,
Rikard
- You must be logged in to reply to this topic.