There is a minor and relatively hard-to-exploit security vulnerability in jQuery 3.2.x that ships with currently security-supported versions of Moodle e.g. 3.5.x.
More information on the vulnerability patched in jQuery 3.4.0:
Two options I see that would fix this:
- Update to jQuery 3.4.x and backport the other fixes from
- Patch the jQuery 3.2.x version as mentioned on the jQuery release page
The latter looks pretty easy - a one-line patch.