Upgrading angular js version from (1.5.8 to 1.7.8)

Hi team,
We are using Redash 7 and we have a requirement to upgrade the angular js version from 1.5.8 to 1.7.8, since current version of angular js is found vulnerable in testing. Could you please help us on this topic. Could you please confirm if the application is exploiting vulnerability in v1.5.8

Known issues

AngularJS Issue #11352 : https://github.com/angular/angular.js/issues/11352

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The $http function within Angular does not perform any security checks using $sce.RESOURCE_URL on the URLs that it receives. This could be leveraged by an attacker to conduct XSS attacks through JSONP callbacks.

AngularJS Issue #16288 : https://github.com/angular/angular.js/issues/16288

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Browsers mutate attributes values such as javascript:alert(1) when they are written to the DOM via innerHTML in various vendor specific ways. In Chrome (<62), this mutation removed the preceding “whitespace” resulting in a value that could end up being executed as JavaScript.

AngularJS Issue #11328: https://github.com/angular/angular.js/issues/11328

Affected versions of this package are vulnerable to JSONP Callback Attack. JSONP (JSON with padding) is a method used to request data from a server residing in a different domain than the client. Any url could perform JSONP requests, allowing full access to the browser and the JavaScript context. This can lead to Cross-site Scripting.

Thanks and Regards
Indu

We have no plans on upgrading the Angular version:

  1. I’m pretty sure that these issues are not relevant to our codebase. Specifically #11352 and #11328. I still need to check further re. #16288.
  2. We plan on finishing the Angular to React migration towards 2020.

#11352 and #11328 are irrelevant because we don’t use JSONP in Redash. #16288 may be reproduced in Redash (not sure how, though), but Content-Security-Policy: script-src 'self'; header should fix it without upgrading AngularJS.