Rich-text Reply

Vulnerable JavaScript according to detectify.com

weheartwebsites 11-05-15

Vulnerable JavaScript according to detectify.com

Hello everyone,

 

I am getting the following report from detectify.com:

 

Vulnerable JavaScript: https://cdn.optimizely.com/js/XXXX.js

 

Fingerprinted jQuery below version 1.9.0.1.

 

 

Is this false alarm or is the optimizely.js really packaged with a vurnable version of jQuery?

 

Regards,

Gunter

Re: Vulnerable JavaScript according to detectify.com

Hi Gunter,

 

Thanks for making your post and posting your question here! First I'd like to say we take security vulnerabilities very seriously. In order to get some more detail on the issue, I'd like to ask you a couple of questions. I'll send an e-mail to the email in your Optimizely account.

 

Best,

Nils

 

 

 

robertchan 11-05-15
 

Re: Vulnerable JavaScript according to detectify.com

Gunter,

Imo, it's safe to say this is a false alarm as we have a team of developers testing security around the clock and have been on Optimizely for well over a year with no security issues.

Best,
Rob
Robert Chan

Experimentation Hero
JDahlinANF 11-06-15
 

Re: Vulnerable JavaScript according to detectify.com

It's a standard disclaimer becuase Optimizely loads an older version of jQuery.

 

From https://jquery.com/download/

"The jQuery 1.x line had major changes as of jQuery 1.9.0"  I don't recall there being any security related issues that were addressed with the 1.9 changes, but it is fair to say that there probably are some ways that older version of jQuery could be poorly used that would result in security issues, but merely including the llibrary itself is more than likely not an issue.

Re: Vulnerable JavaScript according to detectify.com

Hey Gunter,

Thanks again for bringing this to our attention. Security is a top priority for us here at Optimizely. Our engineering team has reviewed the bug report and while we believe the opportunity for malicious activity remains very slim, we are taking appropriate action to address any potential issues. As always, we are committed to doing everything possible to ensure our customers can continue use Optimizely safely and securely.

Thanks,
-Kyle Randolph, Optimizely Staff Security Engineer

Re: Vulnerable JavaScript according to detectify.com

Hey Gunter,

 

jQuery 1.11.3 is now available to include in your snippet, which includes a fix for this issue. See the product update post for more information.

 

Thanks,
-Kyle Randolph, Optimizely Staff Security Engineer