L.S.
Nothing out of the ordinairy. But there are still code glitches, where libraries should be retired on the avast blog website.
to make it a tad more secure →
jquery 1.11.2 Found in -https://blog.avast.com/hs/hsstatic/jquery-libs/static-1.4/jquery/jquery-1.11.2.js
Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
jquery 1.11.2 Found in -https://blog.avast.com/hs-fs/hub/486579/hub_generated/template_assets/4971048709/1571307960770/Coded_files/Custom/page/responsive/jquery.1.2.min.js
Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution 123
jquery 3.2.1 Found in -https://blog.avast.com/hs-fs/hub/486579/hub_generated/template_assets/7330550809/1569824219439/Coded_files/Custom/blog/js/jquery-tooltip-2019-january.js
Vulnerability info:
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
High severity findings here for CSP: Evaluated CSP as seen by a browser supporting CSP Version 3
expand/collapse all
checkupgrade-insecure-requests
errorscript-src [missing]
script-src directive is missing.
errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to ‘none’?
But this is not the only site with not optimal settings for best CSP policies.
There is CloudFlare protection: xpect-CT: max-age=604800, report-uri=“-https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
The Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that the browser check that any certificate for that site appears in public CT logs.
See: https://webcookies.org/cookies/blog.avast.com/28916849?312212 (B and F-grade scan status)…
Clickjacking protection is enabled
+2
Instructs the browser if the current website can be embedded in HTML frame by another website. Since this allows the parent website to control the framed page, this creates a potential for data theft attacks (“clickjacking”) and most sensitive websites won’t allow them to be framed at all (deny) or just allow parts of them to be embedded in frames created by themselves only (samesite).
In the browser console I see:
SprocketMenu.js:65 GET -https://app.hubspot.com/content-tools-menu/api/v1/tools-menu/has-permission?portalId=486579&callback=jsonpHandler net::ERR_BLOCKED_BY_CLIENT (via uBlock Origin)
value @ SprocketMenu.js:65
value @ SprocketMenu.js:118
(anonymous) @ index.js:18
content.js:2 [VULNERS] Init
content.js:5 [VULNERS] Rules (292) [{…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, …]
content.js:15 [VULNERS] Match Slick /slick.js undefined
(anonymous) @ content.js:15
content.js:15 [VULNERS] Match cpe:/a:jquery:jquery jquery-libs/static-1.4/jquery/jquery-1.11.2.js undefined
(anonymous) @ content.js:15
Babel Quest Client - HubSpot offers a full platform of marketing, sales, customer service, and CRM software — plus the methodology, resources, and support — to help businesses grow better. Get started with free tools, and upgrade as you grow. (Timeframe retention of data = 300 days max.).
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)