nopCommerce 4.2 & jquery version 3.3.1 fails pci scan

3 weeks ago
I recently upgraded from 4.0 to 4.2 to fix the pci scan issue with jquery. I ran a pci vulnerability test last night and this (among other issues) is what I got:

jQuery Prior to 3.4.0 Cross-Site Scripting Vulnerability

I ran jQuery.fn.jquery in console and it returned 3.3.1.

The pci scan failed.

How do I get upgraded to 3.4.0? Is it even possible at this point with 4.20 (downloaded two weeks ago)?

Are there any workarounds?

I tried to mitigate with various things, but the pci scanner people just simply said if you have anything less than 3.40 you fail.

Any help with this would definitely be appreciated soon.

Thanks!

--Tom
3 weeks ago
Hello Andrei,

I was not expecting to fail the pci scan after the time and effort to upgrade to 4.2 to pass the scan. Now, there is no version of nopCommerce that comes out of the box that will pass a current pci scan.

I am also taking this issue up with nopTemplates whose themes and plugins along with your products form the core of my business.

I'd like to resolve this soon or at least get a better understanding from you what the roadmap is to fix this. Please understand that it is at least $50/month for a failing scan. It also makes it complex to provide a potential customer who asks is nopCommerce pci compliant?

Please let me (us) know soon.

Thanks!

--Tom
2 weeks ago
Hmm, maybe someone could show me how to upgrade the jQuery in 4.2?
1 week ago
Ok, no responses. Guess I must be the only one that does not want to pay $50 a month for non-compliance.

This is what I did to get a passing scan:

Downloaded the jquery 3.4.1 min & non-min

Downloaded the jquery migrate 3.1.0 min & non-min

Put those 4 files in the appropriate jquery folders.

In Visual Studio, searched for all references to jquery-3.3.1 and changed to jquery-3.4.1
Searched for all references to jquery-migrate and changed to 3.1.0


I did a relatively brief test of my site including the nopTemplates themes and plugins and everything seemed to work ok. It was not a deep nor thorough test but all seemed well in Edge console. I could see where jquery migrate was lighting up the screen, but no errors.

I submitted my site for another pci scan and it passed-- no problem. Adios paying $50.

Your mileage may vary.