Cybersecurity specialist reports mention that jQuery, the popular JavaScript library, has been compromised by an unusual prototype pollution vulnerability that could allow threat actors to modify a Javascript object prototype.
It is estimated that the impact of this problem
could be serious, considering that this library is currently used by more than
70% of the functional websites; most sites still use the 1.x and 2.x versions
of the library, making them vulnerable to this flaw.
Recently an update patch was released to
correct this flaw, three years after the last security update this library
received, the cybersecurity experts mention.
Specialists mention that JavaScript objects are
like variables that can store multiple values according to a default structure.
As for the prototypes, these are used to define a structure in the JavaScript
object.
According to experts from the International
Institute of Cyber Security (IICS), if a malicious user is able to modify a JavaScript
object prototype, it can cause an application to crash and modify its operation
in case of not receiving the expected values. Due to the extensive use of
JavaScript, exploiting this vulnerability in a prototype could cause serious
problems in several web applications.
Cybersecurity experts have shown that
exploiting the vulnerability (identified as CVE-2019-11358) can assign
themselves administrator privileges in a web application that uses the jQuery
library code.
The specialists pointed out that this
vulnerability of prototype pollution is not functional for its massive
exploitation, because the code of the exploit must be especially crafted for
each individual JavaScript object, so at least not everything is bad news.
In addition, experts recommend that web
developers working with this library update as soon as possible to the latest
version of jQuery (v 3.4.0). According to the reports, the most recent version
of the library includes corrections for some undesirable functions during the
library use; technical details about each of these fixes can be found in the
official jQuery developers’ blog.
