As part of improving the security of 3G e-shop templates, we have updated the bundled jQuery 1.11.3 build with security fixes while keeping its public API unchanged.
This change applies to all 3G templates and is controlled via UMS.
Update management preview key: jquery_fix
The change is scheduled for release on July 14, 2026. If you are an addon developer, please review the changes described below now and adjust your addons accordingly. On the release date, these improvements will be rolled out to the majority of customers. E-shops using Deferred Template Updates will have time until July 21, 2026 to modify their customizations and accept the update.
You can preview the changes by running the command shoptet.helpers.enableUpdatePreview('jquery_fix') in the browser console.
3G e-shop templates now load a security-patched version of jQuery labeled 1.11.3-sec1. The fix addresses four known vulnerabilities (CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023 – XSS and prototype pollution).
This is not a jQuery upgrade. It is based on the exact same version 1.11.3, into which we have backported only the security fixes. The public API remains unchanged – selectors, events, .data(), AJAX, plugins (jQuery UI, colorbox), and automatic execution of inline <script> blocks when inserting HTML via .html() / .append() all work exactly the same as before.
The vast majority of partner scripts therefore do not need any changes. Below is the complete list of what changes, and what to do if any of the changes apply to you.
$.fn.jquery // "1.11.3-sec1" (previously "1.11.3")
parseFloat($.fn.jquery) // 1.11 - unchanged
If your code detects the version using parseFloat / parseInt or compares the "1.11" prefix, it will continue to work without changes. Only exact comparisons such as $.fn.jquery === "1.11.3" will no longer match – replace them, for example, with $.fn.jquery.indexOf("1.11.3") === 0.
Previously, if you used $.ajax() to load a text/javascript response from an external domain and did not specify dataType, jQuery automatically executed it as a script. This was a security issue (CVE-2015-9251), and it no longer happens.
What this means: requests to the same domain and any requests with an explicitly specified dataType continue to work unchanged. The change applies only to the combination of “external domain + missing dataType + expectation that the response will be executed as code”.
What to do if you load executable JS from an external domain:
// Previously (relied on automatic execution) - no longer works:
$.ajax({ url: 'https://external-domain.example/script.js' });
// Now - tell jQuery explicitly that this is a script:
$.ajax({ url: 'https://external-domain.example/script.js', dataType: 'script' });
// or, more simply:
$.getScript('https://external-domain.example/script.js');
$.extend(true, …) ignores the __proto__ keyWhen deeply merging objects ($.extend(true, target, source)), jQuery now skips the __proto__ key in the source object – this prevents so-called prototype pollution (CVE-2019-11358).
What this means: normal deep merging of configuration and data objects works exactly the same as before. Only code that intentionally merged the __proto__ key is affected (which is almost never done intentionally). If you really needed to change an object’s prototype, use Object.setPrototypeOf(target, proto) instead of $.extend.
<div/>Previously, jQuery internally rewrote self-closing syntax for non-void tags (for example <div/>, <span/>, <li/>) into full tag pairs (<div></div>). This rewrite enabled XSS (CVE-2020-11022 / CVE-2020-11023), so we are removing it – HTML is now passed to the browser exactly as provided.
What this means: the browser treats <div/> as an opening tag, so the following content is nested inside it instead of being placed next to it. The difference appears only if you used self-closing syntax for non-void tags in an HTML string passed to .html() / .append() / $(…).
// Previously: two sibling elements next to each other
// Now: the second div is nested inside the first one
$el.html('<div class="a"/><div class="b"/>');
// Solution - use full tag pairs:
$el.html('<div class="a"></div><div class="b"></div>');
// Creating a single empty element works unchanged in both forms:
$('<div/>'); // OK
$('<div></div>'); // OK (recommended)
Void tags (self-closing by definition), such as <br>, <img>, <input>, <hr>, are not affected in any way.
<script> via .html() / .append() still executes the scripts – exactly as before. We have preserved this behavior..on(), delegation), .data(), .serialize(), animations, same-domain $.ajax, jQuery UI, and colorbox – everything remains unchanged.In most cases, no. Check your code only if:
dataType → add dataType: 'script' or use $.getScript();$.fn.jquery === "1.11.3" → switch to prefix comparison;<div/>, <span/> …) → use full pairs such as <div></div>.Points 2) and 3) are one-line changes, while point 1) applies only to scripts that intentionally load code from another domain.