When running Google Lighthouse tests for Best Practices, WordPress users will run into a 7 point deduction for
The associated directive is, “Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more.”
You may be tempted to think this is coming from a plugin or your theme (which is still worth checking), but WordPress Core actually contains this Jquery script. Version 1.12.4 was released way back in May, 2016.
The 2 exploits that Google’s Best Practices are referring to pertaining to this core script are
Cross-site Scripting (XSS) (when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source, read the full report here) and
Why doesn’t WordPress Core just update to the latest JQuery version? Unfortunately, it’s not backwards compatible with 1.12.4 so forcing an update will cause lots of sites to break. There is an ongoing discussion here that tracks when the upgrade should take place within WordPress Core.
Thankfully, you don’t have to wait. You can use a free plugin to update just that JS without having to get dirty with your site code. The plugin is called jQuery Updater.
Bare in mind, if you have some older dependencies, using this plugin may cause JS errors in your console and certain site functionality to stop so be sure to try it out on a staging copy of your site first or at least when you’re at a low traffic time.