A security scan conducted on the application reveals the following vulnerability in Pega
During the assessment, we observed that jQuery version 2.1.3 is implemented in the application.
This version of jQuery has various publicly known vulnerabilities such as, Cross-Site Scripting and CORS attacks.
Could someone provide a justification/explanation that could be used to close this?
Also it would be great to get the jQuery version that is used in the Product version 8.7.3.
There is one option to get the latest version of JQuery and that is to upgrade to 8.7.3.
@SushantBalur Regarding references to jQuery 2.1.3, I believe (from checking our support ticket history) that this is seen in PegaCall_eventhandlers and pega_sacti_eventhandler.js which were still using old version of jquery which is 2.1.3.
To resolve this concern you can override the PegaCall static content bundle by ‘Save As’ in to custom ruleset and remove js file five9_rest_api. The js file five9_rest_api is required only for Five9 cloud link which is not needed for other links and therefore it is safe to remove the file from static content bundle.
I will check internally to see if we can find out if 2.1.3 is still the version used in 8.7.3.
the UI rendering in Pega Platform 8.7.3 does not load or use Jquery 2.1.3 - it is using Jquery 3.6.0 - you can find the latest version of Jquery in the rule pzpega_jquery_latest
Any custom JS should avoid loading their own version of jquery - jquery is already loaded in every harness.