security(static): upgrade jQuery 1.12.4 → 3.7.1, drop unreferenced 3.3.1 bundle

[deacon-mp]

Summary

`static/jquery/jquery.js` was jQuery 1.12.4 (released 2016), loaded by `templates/core.html` on every page of the operator UI. Affected by:

CVE	Issue	Fixed in jQuery
CVE-2015-9251	XSS via cross-domain Ajax responses	3.0
CVE-2019-11358	prototype pollution in `$.extend`	3.4
CVE-2020-11022	XSS via HTML-manipulation methods (`.html()`, `.append()`, `.clone()`, `.before()`, etc.)	3.5
CVE-2020-11023	XSS via `` elements in HTML manipulation	3.5

`static/jquery/jquery.min.js` was a stale 3.3.1 copy not referenced by any template (verified with `grep -r 'jquery.min' templates/ static/ caldera/`); deleted rather than upgraded.

`jquery.multi-select.js` (v0.9.12) is unchanged — it's compatible with jQuery 3.x.

Fix

Replaced `jquery.js` with jQuery 3.7.1 (current stable), downloaded from `code.jquery.com` and cross-verified against `cdn.jsdelivr.net`:

```
SHA-256 78a85aca2f0b110c29e0d2b137e09f0a1fb7a8e554b499f740d6744dc8962cfe
size 285,314 bytes
```

Test plan

• Hard-refresh `/gui` (or whatever the operator UI URL is) and confirm no JS console errors.
• Smoke-test the multi-select dropdowns (used in adversary / ability / source selection screens) — these depend on `jquery.multi-select.js` which sits on top of jQuery; if v0.9.12 has any jQuery 3.x incompatibility we'd see it here.
• Smoke-test the agent table, ability search, operation flow — basic Ajax round-trips.

Refs

• jQuery 3.5 release notes (CVE-2020-11022/11023 fix details): https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
• Reported externally on 2026-05-18

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[deacon-mp]

Heads-up — there is significant overlap with existing PRs and I want to flag it before this auto-merges or someone reviews it without context:

• PR Potential Vulnerability in Cloned Code #3352 (navnitan-7, 2026-03-30): minimal 5-line back-port of the CVE-2015-9251 mitigation directly into the existing jQuery 1.12.4 source. Closes only CVE-2015-9251. Leaves CVE-2019-11358 / 2020-11022 / 2020-11023 unfixed.
• PR Replace remaining first-party jQuery usage with vanilla JS #3356 (navnitan-7, 2026-04-03, -14180 lines): removes static/jquery/jquery.js entirely and replaces the call sites with vanilla JS. Strategic fix.
• This PR (security(static): upgrade jQuery 1.12.4 → 3.7.1, drop unreferenced 3.3.1 bundle #3378): upgrades the file to jQuery 3.7.1, closes all four CVEs in one drop-in change, deletes the unreferenced jquery.min.js (3.3.1).

If #3356 lands soon, #3378 is throwaway. If #3356 is non-trivial to land (it touches 14k lines of operator UI), #3378 is a tactical bridge that closes all four CVEs without disturbing call sites.

Maintainers' call. Happy to close this in favour of #3356 if that's the chosen direction, or in favour of #3352 if the goal is the minimal back-port. I am not pushing for #3378 specifically — flagging the trade-off so the right one ships.

[deacon-mp]

Closing in favour of #3356 (full removal of first-party jQuery, replacing with vanilla JS) per maintainer direction. #3356 is the strategic fix; this PR was a tactical-upgrade bridge that becomes unnecessary once #3356 lands.

If #3356 stalls and the jQuery 1.12.4 CVEs (CVE-2015-9251 / CVE-2019-11358 / CVE-2020-11022 / CVE-2020-11023) need to be closed sooner, this branch can be re-opened or its commit (54cac060) cherry-picked.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud