`jquery-ui` package is vulnerable to Prototype Pollution - `widget` function

Question

`jquery-ui` package is vulnerable to Prototype Pollution - `widget` function

knalepa opened this issue a year ago · 1 comments

Hello,

My team encountered an issue when Fortify Scanner runs the scan for one of our projects.

The description of the issue is below:

The jquery-ui package is vulnerable to Prototype Pollution. The $.widget() function in widget.js does not properly check if the name parameter contains a risky JavaScript accessor such as __proto__ or constructor when creating a new widget. An attacker can exploit this vulnerability by providing a crafted name to override the original JavaScript prototype and therefore values of objects used by the application. This may result in arbitrary code execution, data corruption, or application crashes.

Component Name: jquery-ui
Component Version: 1.14.1

I didn't find anything related to that.

Would you mind to take a look on that?

Thank you.

Answer 1 · 2025-01-07T07:59:11.000Z

it was an issue on our Fortify scanner, please ignore it