XSS Vulnerability due to bootstrap.js version

commongiant · September 18, 2018, 3:45pm

Our client’s IT department is running a security scan on a website we developed using the Pro theme.

They are getting a red flag on the bootstrap.js file saying it’s version 3.2 which is vulnerable to XSS attacks. They recommend updating the file to 3.4 but we are under the impression that cannot be done.

We did some research and found that the Pro theme uses a modified version of bootstrap. Is that true?

Can anyone she light on this situation? We need to explain to the client what can be done if anything.

We have put plugins in place to protect from XSS attacks but they are saying they want the bootstrap.js updated.

Thanks!

alexander · September 18, 2018, 7:08pm

Thanks for reaching out about this! For the most part we’re not using Bootstrap.js but we’ve kept a few plugins from an earlier release to support features in our classic elements.

I’m assuming you’re referring to this vulnerability: https://snyk.io/test/npm/bootstrap/3.3.6

Pro (and Cornerstone) wouldn’t be affected by this because we don’t use the data-target attribute at all. There isn’t a way to access without very intentional custom development at which point you’d simply be able to escape the output yourself.

For the next release we are actually removing that alert.js plugin altogether in favor of a simpler script and removing the Bootstrap dependency. It will still include popover.js and tooltip.js which have no documented vulnerabilities. We have some modifications in those plugins as well so what I can do for the next release is make some changes to those file headers to indicate they’ve been customized. This should prevent them from showing up on any scanners.

To summarize, you can let your client know that the way we’ve customized Pro to use Bootstrap nullifies any possibility for that XSS vulnerability to be exploited.

commongiant · September 20, 2018, 3:08pm

Thanks Alexander! Really appreciate the response. This helps a lot.

Any idea when the change you mentioned might take place?

Prasant · September 20, 2018, 4:59pm

You are most welcome. Internally we have actually started testing the beta version of next release. I can’t comment on the exact release date as I am not in that position but you can check our changelog page to keep abreast with latest changes.

https://theme.co/changelog/

Thanks.

system · September 30, 2018, 4:58pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.