Ditch jQuery Mobile, urges security researcher

Developers ought to migrate away from jQuery Mobile (JQM) following the discovery of a cross-site scripting (XSS) vulnerability in the unmaintained but still widely used platform.

JQM is a JavaScript library that offers a touch-optimized web framework for smartphones and tablet devices.

All current versions of the framework are vulnerable to directly exploitable XSS vulnerabilities, security researcher Juho Nurminen warns.

The DOM-based XSS vulnerability lends itself to attacks through specially crafted URLs. In addition, all current versions of JQM contain a broken implementation of a URL parser.

After going public with his findings through a detailed blog post on Friday, Nurminen is encouraging developers to move from JQM towards alternative platforms.

Ditching the technology is being recommended because JQM is no longer actively maintained, so no patch (at least from its original developers) is likely.

A related open redirect-related XSS vulnerability in jQuery Mobile was first documented by researcher Eduardo Vela two years ago.

The security weakness wasn’t much utility on its own because it could only be exploited in conjunction with other bugs.

However, Nurminen built on this earlier research and showed it was possible to exploit the flaw to mount a successful XSS assault without piggy-backing on other bugs.

The Finnish researcher discovered the vulnerability in December, but only went public last week after months of trying to contact the developers though various channels.

He said that he received a short reply to previous emails – “seems worth fixing” – in early March, followed by what he calls “complete radio silence”.

The Daily Swig contacted jQuery Mobile for comment, but we’re yet to receive a response.

Nurminen said: “Partial fixes exist in the form of PRs [pull requests], but ever having them merged is unlikely, let alone that there’d be a new release.”