Security issues in Javascript library ( jQuery 1.7.2 )
Recently we received a report from Acunetix Security Scan stating that Kentico contains a vulnerable Javascript library, jQuery 1.7.2. Since this question was raised several times by our clients I will provide more details in this article.
Our Security Specialists have investigated this report and we can verify that Kentico is safe in this case!
Acunetix scanned through Kentico’s 3rd party components and compared it with the list of vulnerabilities. It didn’t exploit Kentico in any way. It is true that we use an older version of the jQuery library, however, it does not imply that Kentico is vulnerable! We don’t use the jQuery code from the library which is vulnerable.
Because this vulnerability does not affect Kentico, we have decided to update the jQuery library in a future version of Kentico instead of a Hotfix, since it will take quite a bit of time to test the new version. These security tools report issues which might be "false positives" and it often requires a security specialist going through the report to recognize real security issues.
In the case that you still want to upgrade the jQuery version I would recommend you to take a look at the following article http://devnet.kentico.com/questions/kentico-8-jquery-version . Our product architect Ales Kalina confirmed that the outlined steps are the same in version Kentico 8.1 as well as 8.2.