Forum Discussion
RISE generated web content contains outdated version of JQuery
Hi there,
Our learning and development team uses Rise to generate some content that is then exported from Rise, and is included in another website that we host. We recently noticed that included in the bundled JS is JQuery version 3.3.1, which contains a known vulnerability (CVE-2019-11358). This is setting off source code scanners that we use for our applications, and our clients might see it when examining the site using something like RetireJS. Can you please indicate when you will be fixing this issue and upgrading the included Jquery to 3.3.4. Thank you.
Hi Scott. Thanks for the note! I've shared this information with my team, and I'll update you here about any potential changes.
Crystal, any update you can offer on this?
Thanks for checking in, Scott. I don't have an update yet, but we've prioritized the issue and we'll let you know as soon as it is resolved.
Thanks for responding Alyssa!
Hi there, Scott. After close investigation, we've determined that the JQuery vulnerability doesn't have any effect on Rise 360. We will continue to monitor this issue for potential impact, and but for now we don't have plans to make a JQuery update.
Hi Alyssa, thank you for the response. While you may not have a defect that is causing a vulnerability, you must realize that any content that is generated by articulate and then looked at in a web browser by a security team will point out the outdated version. If your customers are using Rise to create content for their own customers who may do a security review of their site, this could cause them to lose a possible sale. This is how it affects us. If you are not going to keep your 3rd party dependencies up to date, I will be forced to redo our security analysis of articulate/rise to be categorically high risk and will have to instruct the business to find an alternate vendor. Does that help you understand the situation we're in? Currently, any time we place Rise content anywhere in an application it gets immediately flagged by our security scanning systems as well our pen-testing crew due to the outdated library. This will happen for other clients as well, and it may impact them similarly if they get reviewed by a security audit. Please let me know if there is anything additional you can do in order to ensure that articulate/rise is following security best practices.
I would be happy to facilitate a zoom call if you'd like with ourselves and any relevant stakeholders form your side.
Really sorry for the trouble, Scott, and I appreciate you taking the time to explain how this impacts Rise users from a security perspective. We initially overthought your request, saw some incompatibilities with jQuery 4, and we got in our own way. We re-read your request, and now that we realize we can resolve the problem by upgrading to 3.3.4. We can definitely help, and we’ll be in touch with an update soon.
Thank you!!! Typically you don't have to jump major versions, 3 -> 4 for example, just get to a more recent version number that has no CVEs registered for it, as that is what is going to come up immediately in source code scanners or pen-testers who are looking at RetireJS output. I highly recommend the RetireJS Chrome extension for your QA staff as anything like this will jump out at them during testing. We use it all the time when building software. I have forwarded your note to the business to let them know there will be a fix. Thank you again!
Thanks, Scott. I'll pass along your recommendation to my team. As soon as we get this upgraded, I'll reach out to let you know!
Hi Scott!
I'm following up to let you know we have updated JQuery to the 3.3.4 patch release. Please reach out if you have any further questions about that!
