I have a WordPress blog, and when I navigate to a particular path such as http://example.com/wp-content/themes/css/jquery-scrollbar.css?, I could see all the CSS code for the scroll bar.
My questions are:
Is this a normal behaviour or is it a vulnerability?
How to prevent the browser from showing the CSS?
Is known CSS code a vulnerability?
Everything that is executed in the browser can be seen by the client, that is the nature of the Web. This includes HTML, javascript, and CSS. So, unless you put something confidential in a file that will be served by your browser, this is not an a vulnerability.
Edit: below is from @schroeder's comment
In addition, every single webpage can show the CSS code. You can download the CSS files, or open developer view to see and even manipulate the CSS code for your browser.
Welcome to Security.SE. The issue that you described is not a security vulnerability. The reason is that JavaScript and CSS files must be viewable by the browser so that your website can function normally.
This is completely normal for a webpage without explicit security, it's even possible to copy a whole website if you have access to a bash terminal. The only real way to ensure no one has access to directories or files is to use a .htaccess file. These dictate which directories the user can view and not. For example, if you add an entry for www.foo.com/css then I head there, it'll return a 403.
Hope this helps.
