Recently my web application code stopped working and there was almost no reason why it should stop working. I didn’t do any changes to the code. I started debugging the reason and found this error message in Javascript console of chrome browser.
Uncaught ReferenceError: $ is not defined
As I didn’t change the code I suspected some failure with dependant code. Further debugging into response of code.jquery.com I was shocked to see unusual characters.
I tried downloading the minified and un-minified jquery-xxxx.js files and hosting on my website to resolve this, but it resulted in the same unusual Chinese or Japanese characters in response and my application was not working. I presume there has been attacks on JQuery server in past too.
How serious is this issue
We create applications which are password protected, running on SSL hosted servers, IP restricted or even running on private networks. This kind of JQuery compromise gives backdoor entry into almost every application which makes use of api through code.jquery.com. With very basic cross site scripting inclusion in this script one can access anything appearing on page or even make disguised AJAX calls to your server and extract everything. In short this is a very very serious issue for hosted web applications directly using code.jquery.com for loading api.
Solution to compromised JQuery problem:
To resolve this I changed the code dependancy to Google hosted JQuery api instead of JQuery website.
<script src=”//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js”></script>
With this change, my application is working fine. If you wish you can download the .js file on your host and include from your host. With Google you get added advantage of CDN which improves the speed of your application.
You can also find about Google hosted APIs you can use in code from here: https://developers.google.com/speed/libraries/devguide
After this fix JQuery response in Chrome developer tools, Network section looks like this:
Leave a Reply