Validate the Okta jQuery Library Version
Last Updated:
Overview
Security scans or penetration tests may detect older jQuery version numbers on Okta-hosted pages. This article explains the jQuery versions in use, what has been patched, and how to validate the Sign-In.
Applies To
- jQuery
- Okta Identity Engine (OIE)
- Okta Classic Engine
Cause
Security scanning tools detect jQuery version strings on Okta-hosted pages and flag them against CVE databases such as cve.org. The version number shown by a scanner does not always reflect whether the underlying code has been patched against those CVEs.
Solution
The jQuery library used in Okta's Sign-In Widget has been upgraded to jQuery 3.x.
This can be validated in the Chrome browser using developer tools and entering the following command in the browser developer console:
jQueryCourage.fn.jquery- Example:
There are other instances of jQuery 1.12.4 pulled from the Okta CDN (not for the sign-in widget) that security scanners will find. Upon inspection of the file, these tests reveal that, during CVE searches, Okta developers have left notes indicating how they addressed the vulnerability.
The following error may be encountered after running this command: Uncaught ReferenceError: jQueryCourage is not defined at <anonymous>:1:1.
It happens because the Sign in widget version is using the Third-Generation widget. Temporarily disable this feature to highlight the jQuery version if needed.
Follow the steps in the Enable Third Generation Sign-In Widget documentation to toggle off the Third-generation widget.
The "/help/login" page loads Okta's internally maintained, patched version of jQuery 1.12.4. The following CVEs against the upstream jQuery 1.12.4 release have been addressed in this build:
- CVE-2015-9251
- CVE-2019-11358
- CVE-2020-11022
- CVE-2020-11023
