All jQuery versions below 3.4.0 are affected by a new hacking technique called prototype pollution. Successful exploitation could allow an attacker to modify existing object properties, including security properties such as cookies or tokens. Privilege escalation, content manipulation, application hijacking and even remote code execution is possible.
WHAT IS PROTOTYPE POLLUTION
prototype. An attacker manipulates these attributes to pollute an application object-prototype by injecting other values. Properties on the
This leads to several highly dangerous attacks. Denial of service attacks against the application server or web server, privilege escalation, or content manipulation. Under special circumstances (see below) an attacker can even execute remote code.
If an attacker pollutes
Object.prototype.myattrb he can most likely perform a remote code execution attack.
For more information on the prototype pollution flaw, see:
NOT SO EASY TO EXPLOIT
If the application uses jQuery only to animate some menus, it is most likely safe. If jQuery is used for more complex operations, such as creating frontends or interacting with server-side systems, it can be exploitable. Howerver, currently this technique is not mass exploitable. Prototype pollution flaws require the attacker to have detailed knowledge of the website and its programming.
Prototype pollution attacks can allow a break-in into systems that are considered secure. Since the exploit takes some time to be executed successfuly, it is likely to be used against high value targets.
There is already a proof-of-concept code for the prototype pollution vulnerability (CVE-2019-11358) that affects jQuery. It shows a way to allow attackers assign themself administration rights on an application using jQuery.
MILLIONS OF WEBSITES AFFECTED