Storyline embedded jQuery - security vulnerability

Hi,

One of our clients noticed that there's a mention that jQuery '1.7.1' is used/embedded in the published storyline result. This version seems to contains some security vulnerabilities. 

Is this something that can be updated? Or should I not have that security concern? Could I do something about this?

-> jQuery 1.7.1 is used in Storyline 1 (storyline_compiled.js) and in Storyline 2 (player_compiled.js); this file is needed to play the html5 version on pc only. 

 

Any tips? Suggestions?

Thanks.

8 Replies
Ashley Terwilliger

Hi Bert,

I'm not aware of any specific vulnerabilities - did you client give you more information than that or were they running into a particular problem? I know that testing the published content locally can cause the browser to not perform as expected with Javascript elements based on browser security restrictions. 

I'm going to reach out to a few others on our team to see if they have other thoughts - but any more information you can offer would be helpful. 

Bert Casaert

The library jquery version 1.7.1 has known security issues. Linked bugs were:

http://research.insecurelabs.org/jquery/test/ 

and https://bugs.jquery.com/ticket/11290   (google cached link: http://goo.gl/jmNemQ )

The vulnerability is affecting all versions prior 1.9.0b1 (between * and 1.9.0b1)

 

Would this vulnerability not be in all published storyline packages, then?

Ashley Terwilliger

Hi Bert,

Thanks for reaching out here and sharing that information. I talked with our team this am, and they're not aware of any security vulnerabilities in our published output, but I shared all the information you provided here with them and they'll investigate further. I don't have a time frame to share in regards to when I'll hear back from them, but once I have additional information to share I'll post here. Thanks for your patience! 

Ashley Terwilliger

Hi Bert,

Thanks for checking in on this issue. I checked with our team, and it seems that the way Storyline uses jquery is not impacted by the security flaws mentioned in the link you previously shared. At this time I have no further information to report, so if you run into issues please feel free to let us know here or reach out to our Support engineers. 

Bert Casaert

Hi, is there a possibility that the embedded jQuery is going to be updated?

There is still some concert around it: "Even if the application is not yet impacted by the flaw, as the library is not safe, it can happen one day when application calls vulnerable functions. They need to upgrade to Jquery v1.12.0 or v2.2.0"

Thanks.

Ashley Terwilliger

Hi Bert, 

Based on the information previously shared I do not believe there is an update planned to the jQuery as our team has tested it and doesn't see that our output is impacted by the security flaws mentioned. If you're running into an issue, we'd be happy to investigate further, and we'll want to have you work directly with our Support engineers by sending along a copy of your project files and information on where it's hosted, browsers you're using to test, etc.