ASP.NET WebForms still loads old jQuery from ScriptResource.axd after upgrading to jQuery 3.7.1

Question

Our security team flagged an issue indicating that an older jQuery version appeared to be loaded in our application.(ScriptResource.axd)

I am working on an ASP.NET WebForms (.NET Framework) application.

I upgraded jQuery to 3.7.1, but initially noticed that the application is still loading the older jQuery version via **ScriptResource.axd
**To override the framework-embedded jQuery, I used ScriptResourceMapping in Global.asax:

protected void Application_Start(object sender, EventArgs e)
{
    ScriptManager.ScriptResourceMapping.Clear();

    ScriptManager.ScriptResourceMapping.AddDefinition(
        "jquery",
        new ScriptResourceDefinition
        {
            Path = "~/Scripts/jquery-3.7.1.min.js",
            DebugPath = "~/Scripts/jquery-3.7.1.js",
            LoadSuccessExpression = "window.jQuery"
        }
    );
}

However, ScriptResource.axd is still present in the Network tab, which makes it appear as if the old jQuery is still being loaded

The Request URL is

/ScriptResource.axd?d=MZxpc6JdZbbtFUlWr-Yp62Ef_7Zpw4WdN5E9uX6xkEs-U-u86e41aulYfFjXgQW4J7u4oHKFO5tgWAjesf12BTB976GkcsesxSBv9OKBOQ5UfmSYKcpdQkr3we3YowULPf8qC80knoWIxyeqkjMrgTRU5WE1&t=78d79713

A community member has suggested a similar question that may solve your problem.

Do any of these answer your question?

• what is ScriptResource.axd in the page load in web app? (3 answers)

Yes

No

(Private feedback for you)

Our security team flagged an issue indicating that an older jQuery version appeared to be loaded in our application.(ScriptResource.axd)

I am working on an ASP.NET WebForms (.NET Framework) application.

I upgraded jQuery to 3.7.1, but initially noticed that the application is still loading the older jQuery version via ScriptResource.axd.

To override the framework-embedded jQuery, I used ScriptResourceMapping in Global.asax:

protected 

However, ScriptResource.axd is still present in the Network tab, which makes it appear as if the old jQuery is still being loaded

The Request URL is

/

Questions

Why does ScriptResource.axd still get requested even after overriding jQuery using ScriptResourceMapping?

Does the presence of ScriptResource.axd mean that the old jQuery version is still being executed, or is it only serving other ASP.NET WebForms scripts?

Is it possible (or supported) to completely remove or disable the framework-embedded jQuery from ScriptResource.axd in an ASP.NET WebForms application?

1. From a security perspective, does the presence of an older jQuery inside ScriptResource.axd pose a vulnerability if the active runtime version is jQuery 3.7.1?

What is the recommended and supported way to demonstrate that the application is actually using the updated jQuery version and that the ScriptResource.axd request is not a security risk?A community member has suggested a similar question that may solve your problem.

Do any of these answer your question?

• what is ScriptResource.axd in the page load in web app? (3 answers)

Yes

No

(Private feedback for you)

Our security team flagged an issue indicating that an older jQuery version appeared to be loaded in our application.(ScriptResource.axd)

I am working on an ASP.NET WebForms (.NET Framework) application.

I upgraded jQuery to 3.7.1, but initially noticed that the application is still loading the older jQuery version via ScriptResource.axd.

To override the framework-embedded jQuery, I used ScriptResourceMapping in Global.asax:

   protected 

However, ScriptResource.axd is still present in the Network tab, which makes it appear as if the old jQuery is still being loaded

The Request URL is

   /

Questions

  **Why does `ScriptResource.axd` still get requested** even after overriding jQuery using `ScriptResourceMapping`?
  
     Does the presence of `ScriptResource.axd` mean that **the old jQuery version is still being executed**, or is it only serving other ASP.NET WebForms scripts?
     
        **Is it possible (or supported)** to completely remove or disable the framework-embedded jQuery from `ScriptResource.axd` in an ASP.NET WebForms application?
        
           From a security perspective, **does the presence of an older jQuery inside `ScriptResource.axd` pose a vulnerability** if the active runtime version is jQuery 3.7.1?
           
              What is the **recommended and supported way** to demonstrate that the application is actually using the updated jQuery version and that the `ScriptResource.axd` request is not a security risk?
              

Answer 1

The presence of ScriptResource.axd in your application indicates that it is still being used to serve scripts, which may include older versions of jQuery. Here are the answers to your questions:

1. Why does ScriptResource.axd still get requested even after overriding jQuery using ScriptResourceMapping?
   The ScriptResource.axd handler is part of the ASP.NET framework that serves embedded scripts. If there are any ASP.NET controls or components in your application that depend on the older jQuery version, they may still reference it, causing the request to ScriptResource.axd to occur.
2. Does the presence of ScriptResource.axd mean that the old jQuery version is still being executed, or is it only serving other ASP.NET WebForms scripts?
   The ScriptResource.axd may serve other ASP.NET scripts and not necessarily the old jQuery version if your application is configured to use the updated version. However, if any components are still referencing the old version, it could still be executed.
3. Is it possible (or supported) to completely remove or disable the framework-embedded jQuery from ScriptResource.axd in an ASP.NET WebForms application?
   While you can override the jQuery version using ScriptResourceMapping, completely removing the framework-embedded jQuery from ScriptResource.axd is not typically supported. You should ensure that all components in your application are updated to use the new version to avoid any references to the old version.
4. From a security perspective, does the presence of an older jQuery inside ScriptResource.axd pose a vulnerability if the active runtime version is jQuery 3.7.1?
   If your application is actively using jQuery 3.7.1 and not referencing the older version, it should not pose a security risk. However, if any part of your application inadvertently uses the older version, it could expose vulnerabilities present in that version.
5. What is the recommended and supported way to demonstrate that the application is actually using the updated jQuery version and that the ScriptResource.axd request is not a security risk?
   You can use browser developer tools to inspect the loaded scripts and confirm that jQuery 3.7.1 is being executed. Additionally, ensure that all components and scripts in your application are updated to reference the new version, and conduct security assessments to verify that no vulnerabilities are present in the active scripts.

By following these steps, you can ensure that your application is secure and using the correct version of jQuery.

Answer 2

Hi @Akshita Dangi ,

Thanks for posting in Microsoft Q&A Forum. I will try to address your question one by one

1. Why does ScriptResource.axd still get requested after ScriptResourceMapping?

ScriptResource.axd serves multiple embedded scripts, not just jQuery. Your ScriptResourceMapping only overrides scripts explicitly mapped. Third-party controls (Ajax Control Toolkit, Telerik, etc.) and other ASP.NET framework scripts still use ScriptResource.axd independently of your mapping.

Important: Scripts in WebForms are bundled, minified, and served through ScriptResource.axd—they're not loaded directly as separate files.

2. Does ScriptResource.axd mean old jQuery is still executing?

Not necessarily. ScriptResource.axd serves various ASP.NET framework scripts (MicrosoftAjax.js, validators, etc.), not just jQuery. The presence of ScriptResource.axd doesn't automatically mean old jQuery is running—you need to check what's actually executed in the browser.

3. Can you completely remove the framework-embedded jQuery?

No, not fully. WebForms itself doesn't include jQuery—it predates jQuery. The jQuery comes from Ajax Control Toolkit or other third-party controls. If you're using Ajax Control Toolkit:

• Check your ACT version - Microsoft abandoned it before abandoning WebForms. DevExpress maintained it until 2020, then also abandoned it.
• Upgrade ACT first - Try upgrading to the 2020 version before upgrading jQuery, as older versions may not be compatible with newer jQuery.
• Consider compatibility - Older ACT versions may not work with jQuery 3.7.1.

For ASP.NET 4.5+: Use the AspNet.ScriptManager.jQuery NuGet package (version 3.7.1) which properly integrates jQuery 3.7.1 with ScriptManager.

4. Is old jQuery in ScriptResource.axd a security risk if jQuery 3.7.1 is active?

If the old jQuery is loaded but not executed, the risk is minimal. The vulnerability exists only if the old version actually runs in the browser. If your page uses jQuery 3.7.1 at runtime, you're protected.

However: If your security team flagged this, they may be questioning why you're still using WebForms, which is legacy technology that Microsoft has abandoned.

5. How to demonstrate the application uses the updated jQuery?

In Browser Console:

console.log(jQuery.fn.jquery);  // Shows active jQuery version

In Network Tab:

• Inspect all loaded scripts
• Verify your jQuery 3.7.1 loads and executes
• Check the response content of ScriptResource.axd to see what it actually contains

For Security Audit:

Document that the runtime version is 3.7.1 with console screenshots, and explain that ScriptResource.axd bundles framework scripts but doesn't mean old jQuery executes.

---

Hope this helps. If you need any help, let me know.