The jQuery JavaScript library, which is used by approximately 74% of all internet sites, received a security patch yesterday. This patch fixed a rare flaw, called prototype pollution, which experts are only now starting to understand. Prototype pollution refers to a hacker’s ability to modify a JavaScript objects prototype. JavaScript objects contain multiple values based on a premade structure, an example of this structure is (var car ={type:”Fiat”, model:”500″, color:”white”}). Prototypes prevent application crashes when the default structure has no values. If an attacker manages to alter the object prototype, they can severely impact how the application can process data and open the door for more serious attacks. The analysis of experts has found this flaw in jQuery, which is ingrained in about 97% of all websites, to be extremely far-reaching. The good news is that these attacks are not capable of being exploited on a massive scale. The attacker must have intimate knowledge of the website they are attacking. This makes prototype pollution attacks dangerous to the individual target but not to its subsidiaries.
Analyst Notes
If a user is using jQuery, then it is recommended to update to version 3.4.0 which can be found online. Version 1 is still being used by about 85% of websites. Upgrading to the newest version will assist the user in fixing security vulnerabilities.
