id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc	focuses	prnumber
47020	jQuery Update 3.4.0 vulnerability	MikeNGarrett	azaozz	"jQuery's latest release contains a fix for jQuery.extend which allows for unintended behavior which could lead to cross site scripting attacks. 

From [https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ jQuery's 3.4.0 release notes]:

 jQuery 3.4.0 includes a fix for some unintended behavior when using `jQuery.extend(true, {}, ...)`. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions.

This vulnerability affects all previous version of jQuery. As they mention in the release notes, ""[https://github.com/DanielRuf/snyk-js-jquery-174006?files=1 patch diffs exist] to match previous jQuery versions.""

For reference, [https://www.drupal.org/SA-CORE-2019-006 Drupal released a core patch] for 7 and 8 which replaced `jQuery.extend()` completely with minor changes compatible with all old versions of jQuery. See [https://github.com/drupal/drupal/blob/7.x/misc/jquery-extend-3.4.0.js Drupal's core patch].

"	defect (bug)	closed	normal	5.2.1	External Libraries	5.1.1	normal	fixed	fixed-major		javascript