In our 7.2.1 PRPC we have some java script libraries which uses jQuery.ui.dialog version: 1.11.4 which contains a know vulnerability allowing XSS via 3rd party. A new version of jQuery 3.0 has been release to address the XSS issue. Does Pega have a time frame when they will adopt jQuery 3.0?
***Edited by Moderator Marissa to update categories***
The version of JQuery present in the product has been upgraded as of 7.3.1.
For Pega 7.3.1, JQuery is upgraded to the latest stable version available as of July 2017:
- JQuery core was upgraded from 2.2.0 (released on 2016-01-08) to 3.2.1 (release on 2017-03-20)
- JQuery UI was upgraded from 1.11.4 (released on 2016-05-10) to 1.12.1 (released on 2017-06-27)
Additionally please be aware that the JQuery functionality for which the vulnerabilities exist are not used by the Pega platform.
As of now, our engineers are confident that the JQuery vulnerabilities cannot be exploited and have indicated that the best solution at this point is to upgrade to Pega 7.3.1 where JQuery is upgraded to the latest stable version available as of July 2017.