content views including old version of bootstrap 3.4.1

  • Hi there.

    A recent pentest of a site which uses the Content Views has raised the issue that it uses an old version of Bootstrap (3.4.1) – in public/assets/js/cv.js – which has multiple security issues associated with it (see https://security.snyk.io/package/npm/bootstrap).

    Is there a way of either hiding this file from the public site (if it’s only used on the admin site) or look into planning to update your use of bootstrap to a newer version?

    Thanks!

Viewing 1 replies (of 1 total)
  • Plugin Author Content Views

    (@pt-guy)

    Hello,
    Thank you for contacting us.

    We understand your concern.

    To clarify, on our frontend script, we use a customized 3.4.1 Bootstrap version that includes only 4 components: carousel, collapse, dropdown, tab.

    On this page https://security.snyk.io/package/npm/bootstrap, only 2 top vulnerabilities relate to version 3.4.1 (other issues relate to version < 3.4.1 or >= 4.0.0)

    1. About the first issue,
    it doesn’t affect our plugin because we did not use the buttom component and the “data-loading-text” attribute.

    2. About the second issue,
    here is the detailed description of this vulnerability, and it mentioned that The presence of a valid data-target will override the href and the XSS will not be evaluated.

    This is our custom bootstrap script code relates to this issue: https://postimg.cc/CdDGjwpt
    The variable g (which gets the href value) is only used if data-target is null.
    Our plugin already included a valid data-target value, so this issue doesn’t affect our plugin.

    So no action is required.

    If you have further questions, please let us know.
    Best regards,

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.