cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Gatwick
Resolver I
Resolver I

PowerApps Portals jQuery 3.0 vulnerability

Our security team have identified that our OOB Portal has a jQuery vulnerability shown on the National Data Base as 

CVE-2019-11358 

I gather that jQuery is a Portal building block so what can, or should I do to mitigate this risk? 

jQuery versions below 3.4.0, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. An unsanitized

source object containing an enumerable __proto__ property could extend the native Object.prototype

 

With script attacks handled by ASP.NET 'Request Validation' feature does this also block the jQuery risk?

Cheers, Richard U.k

 

 

 

10 REPLIES 10
ragavanrajan
Super User
Super User

Hi @Gatwick 

 

There is no easy way to upgrade inbuilt jQuery framework. If there is a security issue kindly raise ticket with Microsoft as a higher priority. 

 

They can deal with this. 

 

Please let is know if you have difficulty in this process. Otherwise I will raise it with product team. 

Hope it helps.

------------

If you like this post, give a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users find it.

 

Hi Ragavanrajan,

Thanks V3 is now five years old. I've raised the update as an idea so please share as I bet you have a lot of contacts!

Portals-jQuery-Portals-is-FIVE-YEARS-out-of-date 

 

If it cannot be updated do you know if the vulnerabilities act as rouge HTML so would be captured by ASP.NET Request Validation? If not any suggestions as to how I can reassure our security team? 

 

Cheers, richard U.K

Hi @Gatwick

 

I have upvoted the idea. I completely agree jQuery 3.0 is five years old.  PowerApps portal bootstrap version is also old.  Please raise a ticket with Microsoft regarding this. When I get a chance to speak to the portal engineering team I will highlight this as a security issue and check their upcoming roadmap. 

 

I have tried upgrading the jquery version and it seems to be updated to jquery 3.6.0

 

In portal studio 

 

1. Home page > edit the source code and add the following code 

 

<script src="https://code.jquery.com/jquery-3.6.0.min.js" integrity="sha256-/xUj+3OJU5yExlq6GSYGSHk7tPXikynS7ogEvDej/m4=" crossorigin="anonymous"></script>

 

Press sync configuration and browse the website 

 

Output: 

 

In Portal console 

 

ragavanrajan_0-1631009620333.png

 

Hope it helps. 
------------

If you like this post, give it a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users to find it.

 

 

 

 

 

 

Hi Ragavanrajan, thanks for your help, sounds great but could you give me a bit more guidance please.

1. I edited the Home/HTML in portal management as per the screen shot but that can't be right as it breaks the front side editor so I reverted. 

2. I don't know how to get to the HTML in portal studio. Many thanks, Richard

Hi Ragavanrajan, I did try again wrapping the <script> in <head> tags but when I check on the front side editor the head and script HTML is not there. help appreciated! Cheers, richard

Hi Ragavanrajan, I put my brain in gear and edited the HTML in the studio with the Scrip 3.6 insert. Attachments show the edit and how it surfaces in the browser developer inspection. BUT it still fails on the Lighthouse test which sees V3.0 Should that home page V3.6 script persist across all pages? Cheers, Richard

Hi, I've been looking around to see why those jQuery V3.0 findings still persist, might this be a suspect? cheers, Richard

Hi Richard, 

 

For me, jquery is showing as 3.6.0.  And it is upgraded😀  But keep in mind that you also need to update the dependent libraries for JQuery 3.6.0. I am not sure about the risk of taking it to production. So please play around in your dev environment. 

 

Here are the steps for you. 

Pre: Download Jquery minified version in your local 

 

Log in to portal management. 

 

1. Click Settings > Advanced Settings 

2. In the Dynamics 365 Settings > Customise the system 

 

ragavanrajan_3-1631052316124.png

3. Click Web resources > Filter the name which starts with j > you can find jquery 

4. Replace the current jquery with your recent downloaded one. 

 

ragavanrajan_4-1631052471986.png

 

 

Note: You may need to unblock your JS extension in Dynamics 365 if needed

 

We are done now. 

 

In Portal studio,> Refresh the page > Sync configuration and browse the website. Press Ctrl + F5

 

In the console, try the following 

 

ragavanrajan_5-1631052566321.png

 

As mentioned above, you may need to upgrade and perform the above steps for the following dependent library of jquery

ragavanrajan_6-1631052686653.png

I can't think of any other alternative way. Unless the Portal engineering team decided to upgrade jquery and bootstrap. 

 

Hope it helps. 
------------

If you like this post, give it a Thumbs up. Where it solved your request, Mark it as a Solution to enable other users to find it.

Hi Ragavanrajan, gosh, you know your way around, I'll be trying this in a while, thanks for the advice, whilst 3.6 shows for you in the console if you run a vulnerability scan, say from Lighthouse, does it report V3.0 issues after you've got 3.6 loaded? Cheers, Richard

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

M365 768x460.jpg

Microsoft 365 Collaboration Conference | December 7–9, 2021

Join us, in-person, December 7–9 in Las Vegas, for the largest gathering of the Microsoft community in the world.

Top Solution Authors
Users online (1,880)