Has Microsoft documented XSS mitigation for bootstrap and jquery XSS vulnerabilities in their online hosted products?

Question

I am reviewing a web scan vulnerability report and believe Microsoft has mitigated the vulnerabilities reported (based on jquery and bootstrap versions) but finding documentation from Microsoft would be helpful.

"According to its self-reported version number, Bootstrap is 3.x prior 3.4.1 or 4.x prior to 4.3.1. Therefore, it may be affected by a cross-site scripting vulnerability via data-template attribute for tooltip and popover plugins. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number."

"According to its self-reported version number, jQuery is at least 1.4.0 and prior to 1.12.0 or at least 1.12.4 and prior to 3.0.0-beta1. Therefore, it may be affected by a cross-site scripting vulnerability due to cross-domain ajax request performed without the dataType. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number."

This is for a site hosted in Dynamics CRM 9.1.0.18950.

Thank you!

Answer 1

Based on the Microsoft article you forgot to link to in the original question (emphasis mine):

Microsoft Dynamics 365 is leveraging stable branch versions of jQuery, this includes 3.x, 2.x, and 1.x. While there are risks associated with specific functionality within the library, all usage of jQuery has been extensively reviewed in our Microsoft SDL process and we have ensured that vulnerable methods are not in use.

In short the methods themselves aren't mitigated but as they aren't used, it doesn't really matter.