ASP.NET Web Forms loads legacy jQuery 1.12.4 via ScriptResource.axd instead of jQuery 3.7.1 and is flagged in security scan

Question

Hello,

I am working on an ASP.NET Web Forms application where I have explicitly included jQuery version 3.7.1 in the project and pages. However, when the application runs and I inspect the network requests, I see that ScriptResource.axd is loading jQuery version 1.12.4.

Example request:

/ScriptResource.axd?d=MZxpc6JdZbbtFUlWr-Yp62Ef_7Zpw4WdN5E9uX6xkEs-U-u86e41aulYfFjXgQW4J7u4oHKFO5tgWAjesf12BTB976GkcsesxSBv9OKBOQ5UfmSYKcpdQkr3we3YowULPf8qC80knoWIxyeqkjMrgTRU5WE1&t=78d79713

Questions ;-

1)Why does ScriptResource.axd serve jQuery 1.12.4 even when a newer version (3.7.1) is already included?

2)Why does this issue occur only for a specific request URL/page and not the entire application?

3)Is this behavior caused by ScriptManager’s default script registration, ScriptResourceDefinition, or a third-party ASP.NET control?

4)How can I override or disable the legacy jQuery being injected by ScriptResource.axd?

5)What is the recommended and secure way to ensure only jQuery 3.7.1 is used so that the security scan does not flag this issue?

Any guidance on configuring ScriptManager, Web.config, or correctly replacing the default ASP.NET AJAX jQuery reference would be greatly appreciated.

Answer 1

1. Why does ScriptResource.axd serve jQuery 1.12.4 even when a newer version (3.7.1) is already included?
   The ScriptResource.axd serves jQuery 1.12.4 because it is likely being referenced by the ASP.NET AJAX framework or a control that relies on it. The ASP.NET framework may have a default setting that uses this version unless explicitly overridden.
2. Why does this issue occur only for a specific request URL/page and not the entire application?
   This behavior may occur due to specific controls or scripts on that particular page that are designed to use the default version of jQuery provided by the ASP.NET framework. If those controls are not present on other pages, the newer jQuery version might be loaded correctly.
3. Is this behavior caused by ScriptManager’s default script registration, ScriptResourceDefinition, or a third-party ASP.NET control?
   Yes, this behavior is typically caused by the ScriptManager's default script registration, which may include references to legacy versions of jQuery. Additionally, third-party controls that depend on ASP.NET AJAX might also be contributing to this issue.
4. How can I override or disable the legacy jQuery being injected by ScriptResource.axd?
   To override or disable the legacy jQuery, you can set the EnableCdn property of the ScriptManager to true and ensure that you register your version of jQuery after the ScriptManager is initialized. You can also remove the default script registration if possible.
5. What is the recommended and secure way to ensure only jQuery 3.7.1 is used so that the security scan does not flag this issue?
   The recommended way is to explicitly include jQuery 3.7.1 in your pages using a <script> tag that points to the CDN or a local copy. Additionally, ensure that you do not have any controls or scripts that automatically reference the older version. You can also check your Web.config for any settings that might be enforcing the use of the older jQuery version.

For detailed configuration, you may need to review the ScriptManager settings and potentially modify any third-party controls that are causing the legacy version to load.