Jquery Xss Vulnerabilities

Hi, I have a client who failed their PCI compliance scan by Trustwave. Anyone else having this problem and a solution? It says to upgrade to version 3.0.0 or higher, but it looks like that would probably break CS cart.

The following is the error message:

jQuery Cross-Domain
Asynchronous JavaScript and
Extensible Markup Language
Request Cross-site Scripting
Vulnerability, CVE-2015-9251

jQuery is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Asynchronous JavaScript and Extensible Markup Language (AJAX) Request is performed without the dataType option, causing text/javascript responses to be executed. This finding is based on version information which may not have been updated by previously installed patches (e.g., Red Hat "back ports").
Please submit a "Patched Service" dispute in TrustKeeper if this vulnerability has already been patched.
All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
CVE: CVE-2015-9251
NVD: CVE-2015-9251
CVSSv2: AV:N/AC:M/Au:N/C:N/I:P/A:N
Service: http
Application: nginx:nginx
Reference:
https://github.com/jquery/jquery/issues/2432
https://snyk.io/vuln/npm:jquery:20150627
Evidence:
Match: '1.9.1' is less than '3.0.0'
Remediation:
Upgrade jquery to version 3.0.0 or higher.

Which CS-Cart version is he using?

They are using version 4.2.3. I see there is an update available to 4.2.4, but my understanding is that even the latest version still uses jquery 1.9.1.

You are correct on the jQuery version... Since cs-cart has stated they will be PCI compliant, I'd suggest you enter this as a bug in bugtracker since no cs-cart can be PCI compliant with that version of jQuery.

We hit to the same roadblock. Jquery has to be upgraded to the latest version for many reasons including PCI compliance.

Any updates on this? Did anybody hear back from CS-Cart on this?

Relatively simple fix for this if you are comfortable modifying a core file;

The snippet https://github.com/jquery/jquery/issues/2432#issuecomment-403761229here can be added to the template file design/themes/responsive/templates/common/scripts.tpl just after the inclusion of jquery.

This allowed me to file a dispute with my ASV against the scan result, showing that I had patched the vulnerability.