JQuery mobile vulnerability allows cross-site scripting, no fix soon
Mon 13 Feb 2017
A jQuery foundation framework used on more than 150,000 sites has been revealed to have a vulnerability which could permit cross-site scripting (XSS) – and allow users to be unintentionally redirected towards malicious or attack sites. Sites reported vulnerable include Facebook, Google, Baidu, YouTube and Yahoo.
The exploit takes advantage of the rash of ‘extendible’ web pages in recent years, which use jQuery to scroll the user directly into new content without apparently changing the page.
The initial comprehension of the vulnerability was observed by Google engineer Eduardo Vela, who had earlier observed that it is possible to bypass Content Security Policy (CSP) ‘nonces’ (tokens).
The exploit makes use of the jQuery framework’s location.hash mark-up, which facilitates the separation of a single scrolling web page by providing a destination which relates to a place within the document itself, rather than a completely different URL.
When Vela reported the weakness to the jQuery mobile development team, they confirmed the risk to users – but also that no fix is likely to be forthcoming immediately, since a patch for this particular issue would break so many web-applications:
“The jQuery Mobile team explained that they consider the Open Redirect to be the vulnerability, and not their behavior of fetching and inlining, and that they wouldn’t want to make a change because that might break existing applications. This means that there won’t be a patch as far as I have been informed. The jQuery mobile team suggests to 403 all requests made from XHR that might result in a redirect.
“This means that every website that uses jQuery Mobile, and has any open redirect anywhere is vulnerable to XSS.”
According to the Qualys Blog, open redirects are most likely to be found at the most vulnerable point of a website’s security arrangements – the login page. The investigation into the diffusion of the problem revealed that many websites either have not closed the loophole or contain errors in their sanitising process against the attack.