We recently received the following email from https://nospam_srcclr.com (remove nospam_ for the real URL).
Thank you for your prompt reply. We have identified [our project] as being vulnerable to a cross-site scripting vulnerability through JQuery.
A copy of the JQuery version 1.11.3 is included in the project here. JQuery is vulnerable to cross-site scripting through execution of non-explicit data type. The vulnerable section of code used in [our project] is seen here.
To mitigate this issue, we recommend upgrading JQuery to 3.0.0.
untrusted domain by ajax, it still safe.
If you did, you can manually apply this simple patch too your current jquery: