Potential Vulnerability in Cloned Code#4148
Conversation
|
Hi @navnitan-7! Thank you for your pull request and welcome to our community. Action RequiredIn order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you. ProcessIn order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA. Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks! |
github-actions
bot
added
the
documentation
|
Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks! |
|
Requesting review on this security-related patch. This PR mitigates behavior associated with CVE-2015-9251 in the vendored jQuery file used in documentation assets. The change mirrors the upstream security fix to prevent implicit cross-domain script execution during AJAX response conversion. Kindly review and let me know if any adjustments are required. Thank you! |
1 participant
Summary
This change mitigates CVE-2015-9251 behavior in a vendored jQuery clone at
docs/v2.10.0/_static/jquery-3.5.1.js.It mirrors the upstream jQuery security intent to avoid implicit cross-domain script execution during ajax response conversion.
Changes
ajaxConvert(...).Impact
This reduces XSS risk from cross-domain ajax responses being interpreted as script implicitly.
References