jQuery JavaScript library receives security patch for a rare Prototype Pollution vulnerability

• The flaw can enable a hacker to modify a JavaScript object’s prototype.
• Most websites that still use the 1.x and 2.x versions of the jQuery library are affected by the ‘Prototype Pollution’ vulnerability.

jQuery JavaScript library which is used on 74 percent of all internet sites has received a security patch for a rare vulnerability called ‘Prototype Pollution’. The flaw can enable a hacker to modify a JavaScript object’s prototype.

A close-up view of the flaw - JavaScript objects are like variables. They can contain multiple values on a predefined structure.

On the other hand, ‘Prototype’ defines a JavaScript object’s default structure and default values. It takes care that applications don’t crash when no values are set.

The flaw of ‘Prototype Pollution’ can have a major impact if an attacker gains access and starts altering a JavaScript object prototype. Successful exploitation of the flaw can open the door for more dangerous attacks such as application crashes or application hijacks.

Most websites that still use the 1.x and 2.x versions of the jQuery library are vulnerable to ‘Prototype Pollution’ vulnerability.

What are the limitations - In a Proof of Concept code, Tal and the Synk team has assigned the flaw impacting jQuery as CVE-2019-11358.

Although “Prototype Pollution’ flaw could allow attackers to launch several dangerous attacks, researchers claim that the vulnerability is not easy to exploit. The flaw requires attackers to have in-depth knowledge of how each website works with its object prototypes.

Furthermore, some websites do not use the jQuery library for any heavy operations but merely to show some popups.

"Finding versions of the jQuery vulnerability for this exploit is not a hard task, but automating an actual exploitation for custom code that makes use of jQuery's vulnerable API with regards to the prototype pollution would be more difficult," Tal told ZDNet.

In addition, there are few apps and websites - that rely on closed source code - are safeguarded against such attacks.

How to stay safe - Web developers using jQuery JavaScript library are advised to update their projects to the latest jQuery version, v3.4.0.

“jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions,” the jQuery team noted in a blog post.