Upgrading to jQuery 3.3.1


Applies to: AbleCommerce Gold (all versions)

Release Date:  12/03/2018

Summary:  Two vulnerabilities found in jQuery versions earlier than 3.0

AbleCommerce Issue ID: AC8-3268

 

 

INFORMATION

A known security vulnerability has been identified in jQuery versions earlier than 3.0. For details, please see:  

https://nvd.nist.gov/vuln/detail/CVE-2015-9251

The issue may be discovered by some PCI scanning services.

All versions of AbleCommerce Gold are at risk and should be patched.  These are mandatory changes for PCI compliance.

 

ISSUES FIXED IN THIS UPGRADE

Cross-Site Scripting (XSS) attacks

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Denial of Service (DoS)

jQuery 3.0.0-rc.1 and before 3.0.0 is vulnerable to Denial of Service (DoS) due to removing a logic that lower-cased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.


IMPORTANT MESSAGE - Read this BEFORE upgrading to a new version of jQuery.

If you are using any custom AbleCommerce plug-ins, or your own custom code, please read this important message before upgrading to jQuery 3.0.  

Since jQuery is the most widely used JavaScript library, there is a risk of breaking existing customizations or features within your website. For instance, the AbleCommerce features that were impacted include the following:

1. TinyMCE HTML editor
2. Footable (ExGridView)
3. Admin help tooltips (hoverIntent.js)
4. jquery.equalheights
5. UvumiGallery and Fancybox plug in at Product display pages for image gallery
6. jquery superfish (Admin menu)
7. DatePickers
9. Jquery based drop down buttons (admin search button in header)
10. selectbox plugin at different pages like batch edit categories
11. jquery.qtip plugin (preview order feature).
12. Color picker (Theme CSS editor).

 

If you know that you have plug-ins or customizations, then stop now, and check with your vendor or developer before applying this upgrade. He or she will need to check for jQuery version compatibility.

 

Downloads

The provided patches are for specific builds of AbleCommerce.  Before installing, find your installation version and build number.

ABLECOMMERCE VERSION

Download

Gold R12 SR2 build 9476

jQuery_Patch_Gold_WSP_R12_AC8-3268.zip (for WSP versions only)

MD5: 561316c3431fb05e1af38a75674b2904

jQuery_Patch_Gold_WAP_R12_AC8-3268.zip (for WAP versions only)

MD5:  3443b6451fda2e0e61697fbdc0ff2f84

Gold R12 SR1 build 9266

 
The patch downloads linked above are compatible with AbleCommerce Gold R12 SR2 only. However, if you are planning to apply this patch to a version of AbleCommerce Gold that is older than SR2 build 9476, then you need to confirm Path-Based Cross-Site Scripting (XSS) Failure has been patched for your installation.
 
The current patch includes some of the same files that were previously fixed for security updates.  If you have not applied the XSS patch (Oct. 2017), then do that now before continuing.
 
Alternatively, instructions are given below to apply this patch manually to any version of AbleCommerce Gold.

Gold R11 SR1 build 8858

Gold R10 SR1 build 8620

 

DOWNLOAD INSTRUCTIONS:

  1. Make a backup of your AbleCommerce installation

  2. Download the applicable Gold Patch below for the version you are using.

  3. Using the MD5 checksum number provided, you can verify the integrity of the download before extraction (see below).  This step is optional to ensure the download is valid.

TO VERIFY THE DOWNLOAD:

a.  Go to WinMD5.com or any other utility that can provide checksum validation.

b.  Download and Run the utility.

c.  Select the downloaded file.

d.  In the field provided, past the original MD5 value provided by AbleCommerce help site, and click Verify.

e.  If the validation fails, do NOT install the patch.  Instead, contact support for help.

  1. Extract the updated files to a temp folder.  

APPLY THE UPGRADE:


Identify the type of installation that is running on the server.

  1. If you haven't done so already, please make a backup of your AbleCommerce installation.

  2. From within your temp folder, first, copy the updated files to the locations below within your installation:

    ..\Website\Admin\Admin.Master
    ..\Website\Admin\Admin.Master.cs
    ..\Website\Admin\Login.aspx
    ..\Website\Admin\Logout.aspx
    ..\Website\Admin\Utility\EditHtml.aspx
    ..\Website\Mobile\Members\PaymentTypes.aspx
    ..\Website\Mobile\ProductImages.aspx

    The following 2 files include Anti-XSRF token updates from Path-Based Cross-Site Scripting (XSS) Failure security patch. Since this is not a cumulative patch, you need to have the first security patch installed before applying this one.

    ..\Website\Layouts\Base.Master.cs*
    ..\Website\Layouts\Fixed\Base.Master.cs*

    Optionally, you can make a simple change to both of these files:

    Open \Layouts\Base.Master.cs
    On, or near line 85
    Find string jquery = Page.ResolveUrl("~/Scripts/jquery-1.10.2.min.js");
    Replace with string jquery = Page.ResolveUrl("~/Scripts/jquery-3.3.1.min.js");
    Save.

    Open \Layouts\Fixed\Base.Master.cs
    On, or near line 51
    Find string jquery = Page.ResolveUrl("~/Scripts/jquery-1.10.2.min.js");
    Replace with string jquery = Page.ResolveUrl("~/Scripts/jquery-3.3.1.min.js");
    Save.

  3. Next, upgrade jQuery by copying the three (3) files from ..\Website\Scripts\ to the same location within your installation:

    ..\Website\Scripts\jquery-3.3.1.min.js (new file)
    ..\Website\Scripts\jquery-migrate-3.0.1.min.js (new file)
    ..\Website\Scripts\jquery-ui-i18n.min.js (updated file)

  4. Manually remove the old jQuery by deleting the following files:

    ..\Website\Scripts\jquery-1.10.2.min.js
    ..\Website\Scripts\Mobile\photoswipe\jquery-1.6.4.min.js

  5. Restart the website or application pool.
     

Copyright © 1994 - 2018 AbleCommerce.com, All rights Reserved | Privacy Policy

A division of Able Solutions Corporation, headquarters located in Vancouver, WA