Skip to main content
4-Participant
June 12, 2026
Question

Upgrade jQuery scrollintoview plugin v1.8 (2011) to latest version

  • June 12, 2026
  • 2 replies
  • 33 views

The ThingWorx mashup-vendor-shared.js file is using the jQuery scrollintoview plugin v1.8 (2011), which is vulnerable. We would like to upgrade this to the latest version, but since it is bundled within ThingWorx, please advise on the recommended approach for upgrading or replacing this plugin.

Current environment:

  • jQuery: 3.7.2
  • jQuery UI: 1.14
  • jQuery Migrate: 3.5.2

2 replies

Support
June 22, 2026

Hello ​@ST_14485832,

 

To better understand your requirement, could you please confirm the following:

  1. What is the current version of your ThingWorx?
  2. Which specific vulnerability or CVE has been identified for this plugin, and is it coming from a security scanning tool?
  3. Is the plugin actively used in your mashups, or is this more of a compliance/security flag due to its presence?
  4. Have you implemented or considered any custom extensions/widgets that depend on or override this plugin?
  5. Have there been any custom changes made to ThingWorx platform JS files in your environment
4-Participant
July 1, 2026

Hi,
First of all, thanks for your response.
Here are updated details:

  1. What is the current version of your ThingWorx?
    Thingworx Version is 9.7.3 but I also observed this jquery plugin version issue on thingworx 10.0.3 version.
  2. Which specific vulnerability or CVE has been identified for this plugin, and is it coming from a security scanning tool?

    • jQuery Plugin - Latest or stable version 1.9.4

    • Ladash - 4.17.1 to Latest or Stable and Secure Version 4.18.1

     

    References :

    https://jquery.com/download/

    https://www.npmjs.com/package/jquery.scrollintoview

    https://security.snyk.io/package/npm/lodash/4.17.21

    https://www.npmjs.com/package/lodash?activeTab=versions

    yes, it tested from a security scanning tool.

  3. Is the plugin actively used in your mashups, or is this more of a compliance/security flag due to its presence?
    I think its necessary in thingworx mashup-vendor-shared.js file is using the jQuery scrollintoview plugin v1.8 (2011),
  4. Have you implemented or considered any custom extensions/widgets that depend on or override this plugin?
    No.
  5. Have there been any custom changes made to ThingWorx platform JS files in your environment
    No.

 

Support
July 6, 2026

Hi ​@ST_14485832,

Thank you for providing the additional details.

I understand that your security scanning tool is flagging the versions of jquery.scrollintoview and lodash bundled within the ThingWorx platform. You also confirmed that the behavior is observed in both ThingWorx 9.7.3 and 10.0.3, and that no customizations have been made to the platform files. 

 

To help evaluate the impact more accurately, could you please provide the following:

  1. Does the security scan report reference any specific CVE(s) associated with:

    • jquery.scrollintoview v1.8
    • the bundled lodash version
  2. Can you share the relevant portion of the scan report showing:

    • Severity (Critical/High/Medium/Low)
    • CVE identifier(s)
    • Vulnerability description
    • Affected file path(s)
  3. Is the scan identifying an actual vulnerability or only recommending an upgrade because newer versions are available? For example, the latest published jquery.scrollintoview package appears to be version 1.9.4, but an older version being present does not necessarily indicate a security vulnerability by itself. 

 

If there is a confirmed CVE affecting the bundled library, please share the vulnerability details.

 

Support
June 30, 2026

Hello ​@ST_14485832

 

I hope you’re doing well.

 

I wanted to follow up on my previous message regarding the details needed to better understand your requirement. Could you please share the requested information when you have a chance?