Hi,
First of all, thank you for your amazing support, I'm so very happy with your products and accompanying. Thank you!.
I know, this issue could be out of InspireTheme support scope, but your recommendations can help me so much and I appreciate it.
I know the origin of this problem, really is related with Joomla! core and jQuery, because Joomla! 3.9.x still using an old version of jQuery library (jQuery@1.12.4) and this version has vulnerabilities with medium severity. You can check this in you own Joomla! installation using a tool like Chrome audit (Lighthouse) or you can check that on jQuery's website CHANGELOG too.
Please, check this issues from official Joomla!'s GitHub account:
https://github.com/joomla/joomla-cms/issues/19464
https://github.com/joomla/joomla-cms/pull/20660
InspireTheme templates use UIKit framework and the majority of extensions for Joomla! works with Bootstrap 3.X version --not 2.x version, I tested the compatibility with the latest version of jQuery, changing Joomla!'s /media/jui/js/jquery* files by the latest version of these files and it works properly with my third party extensions.
The problem in matter is related to Joomla!'s update system and /media/jui/js/ because after each update the new installed package replaces these files and all updating work of these files are lost.
I know that is possible unsetting these core scripts from template adding some code statements, but I don't want to make this because it requires changes in the core templates and I prefer your support first.
My question is about the best practices for security risk preventions, this version of jQuery is really vulnerable?. Many websites included inspiretheme.com and joomla.org are using jQuery from default Joomla!'s core (old version), but lighthouse audit tool are clasifing this security advisory as medium risk.
What is your profesional recommendation about this issue?, if this is really a seriouslly security problem, InspireTheme are planning take action on this matter?.
Thank you for your great support, you are the best!,
Cheers,
First of all, thank you for your amazing support, I'm so very happy with your products and accompanying. Thank you!.
I know, this issue could be out of InspireTheme support scope, but your recommendations can help me so much and I appreciate it.
I know the origin of this problem, really is related with Joomla! core and jQuery, because Joomla! 3.9.x still using an old version of jQuery library (jQuery@1.12.4) and this version has vulnerabilities with medium severity. You can check this in you own Joomla! installation using a tool like Chrome audit (Lighthouse) or you can check that on jQuery's website CHANGELOG too.
Please, check this issues from official Joomla!'s GitHub account:
https://github.com/joomla/joomla-cms/issues/19464
https://github.com/joomla/joomla-cms/pull/20660
InspireTheme templates use UIKit framework and the majority of extensions for Joomla! works with Bootstrap 3.X version --not 2.x version, I tested the compatibility with the latest version of jQuery, changing Joomla!'s /media/jui/js/jquery* files by the latest version of these files and it works properly with my third party extensions.
The problem in matter is related to Joomla!'s update system and /media/jui/js/ because after each update the new installed package replaces these files and all updating work of these files are lost.
I know that is possible unsetting these core scripts from template adding some code statements, but I don't want to make this because it requires changes in the core templates and I prefer your support first.
My question is about the best practices for security risk preventions, this version of jQuery is really vulnerable?. Many websites included inspiretheme.com and joomla.org are using jQuery from default Joomla!'s core (old version), but lighthouse audit tool are clasifing this security advisory as medium risk.
What is your profesional recommendation about this issue?, if this is really a seriouslly security problem, InspireTheme are planning take action on this matter?.
Thank you for your great support, you are the best!,
Cheers,
Accepted Answer
Hi Esteban,
We are not planning to take any actions because we cannot actually take an action
Our products do not load jQuery directly. We rely on Gantry 5 to call jQuery that comes from the CMS (in this case Joomla).
In short, here's how it works:
1. We ask Gantry 5 to load jQuery. You might want to have a look at the uikit.html.twig file for example and you will notice this code:
2. Then Gantry 5 asks the CMS (Joomla, WordPress or Grav) to load jQuery.
3. All of the above CMSs come with jQuery in their core, so this is what is loaded at the end - the jQuery library that comes from the CMS (not from Gantry 5 and not from our products).
But you should not be worried, because this issue is patched in Joomla 3.9.0.
In one of the Github issues that you referred to, it is written that the fix is merged into Joomla 3.9.0.
Nope, this is not a real security issue in my opinion.
If you read the whole issue on Github you will notice that this vulnerability affects only the AJAX requests and that it is very difficult to actually exploit a website because the hacker needs to have access to the endpoint server which is not very likely (not at all).
Regarding our website in particular - we are not yet on Joomla 3.9.0 (which contains the fix). But as I said above, I'm not really worried
We are not planning to take any actions because we cannot actually take an action
Our products do not load jQuery directly. We rely on Gantry 5 to call jQuery that comes from the CMS (in this case Joomla).
In short, here's how it works:
1. We ask Gantry 5 to load jQuery. You might want to have a look at the uikit.html.twig file for example and you will notice this code:
{% do gantry.load('jquery') %}2. Then Gantry 5 asks the CMS (Joomla, WordPress or Grav) to load jQuery.
3. All of the above CMSs come with jQuery in their core, so this is what is loaded at the end - the jQuery library that comes from the CMS (not from Gantry 5 and not from our products).
But you should not be worried, because this issue is patched in Joomla 3.9.0.
In one of the Github issues that you referred to, it is written that the fix is merged into Joomla 3.9.0.
My question is about the best practices for security risk preventions, this version of jQuery is really vulnerable?. Many websites included inspiretheme.com and joomla.org are using jQuery from default Joomla!'s core (old version), but lighthouse audit tool are clasifing this security advisory as medium risk.
Nope, this is not a real security issue in my opinion.
If you read the whole issue on Github you will notice that this vulnerability affects only the AJAX requests and that it is very difficult to actually exploit a website because the hacker needs to have access to the endpoint server which is not very likely (not at all).
Regarding our website in particular - we are not yet on Joomla 3.9.0 (which contains the fix). But as I said above, I'm not really worried
Your Reply
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »
The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries.
InspireTheme is not affiliated with or endorsed by Open Source Matters or the Joomla! Project.
InspireTheme is not affiliated with or endorsed by Open Source Matters or the Joomla! Project.