In an Internal vulnerability security report has been detected that the clarity application is using this JavaScript(JS) libraries with vulnerabilities: jQuery UI v1.10.4 and Knockout v3.2.0.
We have tried to update the libraries to the latest version or more recent versions ( e.g. JQuery-UI v1.12.1 and Knockout v3.4.2) but the application does not work correctly, it causes exceptions when using those libraries.
Is it supported to upgrade these external libraries?
Clarity 16.0 and supported releases.
Clarity engineering is aware of the vulnerabilities for the external JavaScript (JS) libraries (e.g. jQuery, jQuery UI and Knockout). Defect- DE52534 was once filed for this, and the same was later converted to an enhancement story that basically is to upgrade the java script libraries in future release of clarity. The defect itself was raised on low priority, as JS vulnerabilities does put the clarity system at risk. This type of problem would need to be addressed if Clarity was to allow custom JavaScript to execute with our code and Clarity does not execute server-side Javascript. There are in-built guardrails in clarity to protect from XSS and CSRF.
Upgrading JS libraries will have adverse effect on the product hence for this reason there are no official recommendation to upgrade the JS libraries either, the recommendation is to periodically upgrade to the latest clarity release. As of clarity 16.0 the JS libraries are jQuery JavaScript Library v3.5.1, jQuery UI - v1.10.4 - 2014-01-17 and Knockout JavaScript library v3.2.0.
XSS security notes for more information