Modern browsers (Chrome, Firefox, Edge, Safari) have standardized all the features jQuery provided. Removing the dependency eliminates the attack surface entirely.
Prototype pollution is a subtle but devastating vulnerability. It allows an attacker to modify JavaScript’s core object prototype ( Object.prototype ). jQuery v2.1.3 uses a recursive $.extend() method. If an attacker controls the source object passed to this method, they can inject properties into the global object chain.
It is crucial to note that The jQuery team has since released patches in higher sub-versions (2.1.4, 2.2.x, and the 3.x branches). Because 2.1.3 is a client-side library, these vulnerabilities are exploitable by any malicious user who can inject scripts into your application or trick a user into clicking a crafted link.
. Because almost every JavaScript object inherits from this prototype, an attacker can inject malicious properties that affect the entire application's behavior.
: This affects how jQuery handles HTML from untrusted sources.
Medium (CVSS 5.6) Status: Fixed in jQuery 3.4.0 (2.1.3 is fully vulnerable)