It is used, according to one site survey, in 74% of all Internet sites.
Like other libraries used for programming languages, malicious changes which have been made to the library may be disseminated without affected developers realizing that the changes in those libraries are present.
To combat this, a security patch has been made for jQuery to mitigate "prototype pollution."
The base problem has been acknowledged for a few years, but researchers are lately realizing that it has affected real-world Java use. As the use of Java expands beyond simple UI handling, the effects of such pollution are showing up in unexpected places.
Olivier Arteau's NorthSec 2018 presentation took a detailed look at the problem and what was going to be needed to tackle it. Indeed, that work was a clear guide to the changes that were going to be necessary.
The problem is evident in other Java libraries (Mongoose's recent problem comes to mind), so it's not just jQuery involved here.
Liran Tal, a security researcher at Synk, took another hard look at jQuery and found even more vulnerabilities.
They also showed a proof of concept that allowed escalation to admin rights on a web app.
Fortunately, jQuery 3.4.0 fixes it, even if they still recommend user input sanitation be used.
But a huge problem still remains. Upgrading may break existing apps, since there are format changes in the higher versions. Ninety-three percent of jQuery use is stuck on versions 1 and 2 of the tool. That is not going to be easily remediated.
Fortunately, a backport of the needed changes has been done so that older versions of jQuery may still be used.
Security comes at a price of ever-vigilant maintenance of existing installations. New attacks come with new understandings of dependencies that change threat models. In this case, there is a way to save the day.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.