Has Microsoft documented XSS mitigation for bootstrap and jquery XSS vulnerabilities in their online hosted products?


I am reviewing a web scan vulnerability report and believe Microsoft has mitigated the vulnerabilities reported (based on jquery and bootstrap versions) but finding documentation from Microsoft would be helpful.

“According to its self-reported version number, Bootstrap is 3.x prior 3.4.1 or 4.x prior to 4.3.1. Therefore, it may be affected by a cross-site scripting vulnerability via data-template attribute for tooltip and popover plugins. Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.”

“According to its self-reported version number, jQuery is at least 1.4.0 and prior to 1.12.0 or at least 1.12.4 and prior to 3.0.0-beta1. Therefore, it may be affected by a cross-site scripting vulnerability due to cross-domain ajax request performed without the dataType. Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.”

This is for a site hosted in Dynamics CRM 9.1.0.18950.

Thank you!