Javascript Version Disclosure

Created on 10 April 2025, about 2 months ago

Problem/Motivation

We have several sites that are scanned by Invicti / Netsparker to identify potential security concerns.
They repeatedly have the following finding:

Invicti Enterprise identified a version disclosure (Jquery) in the target web server's HTTP response.This information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Jquery (or other javascript libraries).

After reaching out to find what they are referring to, it is this

  <script src="/core/assets/vendor/jquery/jquery.min.js?v=3.7.1"></script>
  <script src="/core/misc/touchevents-test.js?v=10.4.5"></script>
  <script src="/core/assets/vendor/backbone/backbone-min.js?v=1.6.0"></script>

It is a "Low" severity described here.

Steps to reproduce

  1. Load any Drupal page
  2. View the source of the page
  3. Observe script tags for javascript files that reveal the version of the file as "?v=nn.nn"

Proposed resolution

This version identification is baked into core's JsCollectionRenderer::render(). The current approach makes it easy to debug as well as making sure that versions get locally cached appropriately with minimal extra bandwidth needed for unnecessary downloads. We could hash the version to make it undisclosed but still prevent unnecessary downloads.
The end result would have them looking something like this

  <script src="/core/assets/vendor/jquery/jquery.min.js?hv=Myta2hC-FBUCSqirpFCfJxVKMoWwwV4pbwJkSHIpqhM"></script>
  <script src="/core/assets/vendor/underscore/underscore-min.js?hv=OoQsK9DvUuZCnXBLBXAheR1h7N_tK646SIuF4Mf2nQ8"></script>
  <script src="/core/assets/vendor/once/once.min.js?hv=1R5uyUBYVUqEVYpbQC7m71_fVFXjXJAv7aYc2odSlDo"></script>

This change may not ever be something that gets merged to core, but could live as a patch here for those of us that need to prevent version disclosure.

Remaining tasks

User interface changes

None

Introduced terminology

API changes

None

Data model changes

The query parameter v for 'version' would be come hv for 'hashed version'.

Release notes snippet

โœจ Feature request
Status

Active

Version

11.1 ๐Ÿ”ฅ

Component

asset library system

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States swirt Florida

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024