Do not panick, just established, and polonus is always on the look-out for javascript hick-ups

Bootstrap.js has issues and it is kind of a liability these days.

Weird, we detected retirable bootstrap libraries here: (detected using retire.js extension/confirmed by SNYK (webhint) & Erlend Oftedal’s online scanner). Just presented, what was alerted…

Not saying anything malicious found or that that scanner cannot be used,
it is incorporated inside VT results, so kind of above board 8)

Retire.js bootstrap 3.0.3 Found in -https://quttera.com/bootstrap/js/bootstrap.js Vulnerability info: High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331 Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041 Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040 Medium 20184 XSS in data-container property of tooltip CVE-2018-14042 jquery 1.9.1 Found in -https://quttera.com/bootstrap/js/jquery.js Vulnerability info: Medium 2432 3rd party CORS request may execute CVE-2015-9251 1234 Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers

Confirmed by Erlend Oftedal’s scanner: https://retire.insecurity.today/#!/scan/5fc870eb188084c667194445ef4b4b1d0f4b74daf39cad31c0b3b66dee22a700

Also found these DOM-XSS issues on quttera’s main site with 5 sources and 167 sinks
and 34 sources and 33 sinks in linked /wXw.google.com/jsapi

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

Look here: http://www.backgroundtask.eu/Systeemtaken/taakinfo/152268/BOOTSTRAP.JS/

Example:
bootstrap 3.1.0 found in -https://store.ipced.com/js/bootstrap/bootstrap.js
Vulnerability info:
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042
jquery-ui-dialog 1.10.3 Found in -https://store.ipced.com/js/magentothem/jquery-ui.js
Vulnerability info:
High CVE-2016-7103 281 XSS Vulnerability on closeText option
jquery 1.7.2 Found in -https://store.ipced.com/js/magentothem/ma.jq.slide.js
Vulnerability info:
Medium CVE-2012-6708 11290 Selector interpreted as HTML
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
jquery 2.1.3.min Found in -https://store.ipced.com/js/iwd/all/iwd-jquery-2.1.3.min.js
Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Medium CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
prototypejs 1.7 Found in -https://store.ipced.com/js/prototype/prototype.js
jquery-ui-autocomplete 1.10.3 Found in -https://store.ipced.com/js/magentothem/jquery-ui.js
jquery-ui-tooltip 1.10.3 Found in -https://store.ipced.com/js/magentothem/jquery-ui.js

Mage scan report: https://www.magereport.com/scan/?s=https://store.ipced.com/

Susceptible to MiM attacks: Insecure SSL/TLS versions available
HTTP Strict Transport Security (HSTS) not enforced
HSTS header does not contain max-age
HSTS header does not contain includeSubDomains
HSTS header not prepared for preload list inclusion
Secure cookies not used

Vulnerabilities uncovered more easily
X-Powered-By header exposed
Server information header exposed

DOM-XSS issues: Results from scanning URL: -https://store.ipced.com
Number of sources found: 4
Number of sinks found: 364

Results from scanning URL: -https://store.ipced.com/js/scriptaculous/dragdrop.js
Number of sources found: 7
Number of sinks found: 1

Results from scanning URL: -https://store.ipced.com/js/varien/menu.js
Number of sources found: 10
Number of sinks found: 23

Results from scanning URL: -https://store.ipced.com/js/magentothem/ajax_cart_super.js
Number of sources found: 10
Number of sinks found: 11

Results from scanning URL: -https://store.ipced.com/js/magentothem/ajaxlogin/ma.ajaxlogin.js
Number of sources found: 22
Number of sinks found: 19

Results from scanning URL: -https://store.ipced.com/js/scriptaculous/controls.js
Number of sources found: 61
Number of sinks found: 70

and to close that circle: Results from scanning URL: -https://store.ipced.com/js/bootstrap/bootstrap.js
Number of sources found: 77 like ).parent().parent().parent().parent().parent().parent().parent().parent().parent()
Number of sinks found: 17 form.action = url; & var data=
&
Results from scanning URL: -https://store.ipced.com/js/bootstrap/bootstrap.js
Number of sources found: 305 this.position.top = data.top;
Number of sinks found: 59 value= input

Important security issue for this site:
https://support.hypernode.com/knowledgebase/how-to-protect-your-magento-store-against-brute-force/
because Admin panel found on /rss/catalog, /admin or /downloader.

615 recommendations to come to website improvement of which many security related, found up by SNYK a.o. see:
https://webhint.io/scanner/8b12ce83-a52a-430f-a8ca-370e47708089
disown-opener issues, no-disallowed headers, no-protocol-relative-urls, sri, strict-transport-security 80 instanes of,
x-content-type-options, ssllabs.

polonus (volunteer website security analyst and website error-hunter)