Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Are URLs that display/download Liferay JS information a vulnerability?

Written By

Pablo Vidal

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • Some monitoring tools may identify certain URLs that are accessible during routine scans that should not have allowed access.

  • Among the URLs that are typically detected are URLs that can download Liferay's JS (JavaScript) to the equipment being accessed.

  • For example, if you inject the parameter o/frontend-js-aui-web/liferay/dependency.js.map into your virtual host, the dependency.js file will be downloaded to your device.
  • Can the possibility of downloading this file be considered a vulnerability?

Environment

  • Liferay DXP 7.4
  • Liferay DXP 7.3
  • Liferay DXP 7.2

Resolution

  • From a product standpoint, there are multiple accessible files where you can see part of the code. In fact, any file served to the browser can be downloaded but this should not be considered a vulnerability.

  • Liferay DXP is an open-source product and we can say that this is an expected behavior and we do not consider it a risk.
     

Additional Information

  • For more details on best practices when opening a security ticket, please see: Before Opening a Security Ticket
  • If you have any additional questions about this topic, please submit a ticket to the Support team through our Help Center.

 

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?