If the version of jQuery you use contains a vulnerability, you may need to update your site to use a newer version. However, this can break functionality. You need to incorporate that into your decision on how to mitigate the vulnerability.
A vulnerability in jQuery
If you use user input URLs in
$.GET calls, you are vulnerable to this attack. But what if you don’t?
If you don’t use the library in a way that makes your site vulnerable, there is no vulnerability. However, it is still a good idea to update your jQuery version. You may not retrieve user-provided URLs now, but maybe you’ll develop it in the future. Maybe you made a mistake when checking your code for vulnerable usage of the library, or maybe the vulnerable code is in a third-party component.
However, if you’ve checked your code for vulnerable calls and didn’t find any, the risk may seem largely theoretical. In that case, is it worth the risk of breaking your site by updating jQuery?
Updating jQuery may break your site
When updating jQuery, the newer version may have a slightly different interface than the old version. If any of your pages rely on the old behavior, updating jQuery breaks your site. Furthermore, it is pretty hard to check whether this happens. You won’t get any compile errors, but have to test the whole site. This means the risk of updating jQuery is pretty big.
Even though it may seem like a big undertaking, jQuery Migrate helps you to find any changed interfaces and let your old code work with a newer jQuery version.
Assess your risk
Whether you update jQuery or not, you do need to make a informed decision. Weigh the pro’s and cons against each other so that it is clear whether updating jQuery is worth the hassle in reduced risk. Decide whether the mitigation of the vulnerability is temporary or permanent. Maybe you are never going to update jQuery ever, but that needs to be a conscious decision rather than a result of everyday churn.
In the end you need to decide how you reduce the risk of the vulnerability, choosing the solution with the lowest cost. This solution may include updating jQuery throughout your site, but it doesn’t have to. The important point is that you make a deliberate decision, weighing risks, costs and benefits against each other.