Opigno/Drupal --PCI auditors require jquery 3.1 now--breaks some site features

Got a quarterly site scan yesterday (on my Opigno LMS site) by PCI auditors who report to my merchant bank and payment gateway. They are requiring jquery version 3.1 now. They won't pass my scan without it. I turned up the jquery version from 1.4 to 3.1 and lots of things still work fine but some things don't. Mostly admin menus and stuff like that are broken. I got it all working again by turning on the jquery_migrate module. This is all kind of unsettling and I'm not sure if my solution is really sea-worthy on a production box. It's not failing----but it seems like a kind of tipsy situation to crank this up so, so many version and then "fix" it this way. Anyone else running into this? Anyone trying to run higher versions of jquery than the stock Drupal 1.4? Is running this jquery_migrate module really meant to be used in an ongoing way or to just get by until you actually fix the feature which is incompatible with the higher jquery version? ..... which I can't do with Drupal core stuff. Below is the scary message from my PCI auditor: Risk: High (3) Port: 443/tcp Protocol: tcp Threat ID: web_lib_jquery Details: Two vulnerabilities fixed in jQuery 3.0.0 01/23/18 CVE 2015-9251 CVE 2016-10707 Two vulnerabilities were fixed in jQuery 3.0.0. First, jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. Second, jQuery 3.0.0-rc.1 and before 3.0.0 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.



You can use jquery update, but several things can be broken and require some fix.

Drupal 7 isn't indeed fully compliant with Jquery 3.1.

Nevertheless, your auditor doesn't seem to have a good knowledge of Drupal process. Even if Drupal uses an old version of jquery is used, the vulnerabilities have been fixed by Drupal security team.

So there is no worry with security.

If your auditor doesn't believe you, just ask him to do an attack to your website to prove that there is a vulnerability ;-)

Btw, if it's not done, upgrade to Opigno 1.30 since it includes a critical vulnerability fix.