Prototype JS

wouldn't be any risk, Kentico is extremely secure, only danger is if you open up doors yourself.

Kentico uses various libraries and tools in it's admin area, but if you have secure passwords you should not have to worry since only editors will have access. front end though you only expose what you decide.

Oh I agree about Kentico being secure its just that it appears that the last release of the Prototype library was Sept. 2015 and is being flagged in our security audit as being a risk. I need some sort of documentation or mitigation plan to send back to the auditor.

What version of Kentico are you using?

Also, i'm looking for what security vulnerabilities exist...the last time there was a security vulnerability with prototypejs was 2011, so there's no security vulnerability, prototype js is just a tool to help build javascript classes/methods that Kentico's internal interfaces uses, but it's client side so can't really open up security vulnerabilities.

https://www.cvedetails.com/vulnerability-list/vendor_id-6541/Prototypejs.html

I would doubt Kentico will update it's prototype.js when it really doesn't need to, i would go back to the security team and outline that there is no security vulnerability with that version, and ask what risk they think there is.

We're on v9.0.50 so we are all patched up.

According to that link it specifies that: Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.

Looking at the version that Kentico is using the version is 1.5.1.2 I think this is what the security audit is picking up.

It should be updated to the last version released: 1.7.3

Yes I would guess not either. I might test updating one of our sites with the latest version and see if any issues. I'll post back if I see an issues. I'll contact support and see what they say.

Thanks!