CiviCRM includes a copy of jQuery 1.x. If a site uses jQuery 1.x or 2.x to asynchronously load third-party assets, then the third-party (or a man-in-the-middle) may trick jQuery into executing arbitrary JavaScript code (CVE-2015-9251). CiviCRM deployments should generally be safe due to low reliance on third-party assets; however, as a preventive, CiviCRM now includes the mitigation from jQuery#2432.
CiviCRM versions 5.10.2 and earlier
CIviCRM versions 5.10.3 and 5.7.4
Upgrade to the latest CiviCRM version
NOTE: If you have a customization which purposefully uses CiviCRM's copy of jQuery to asynchronously load executable JavaScript code from an external provider, then take care to revalidate it.
Francis Whittle of Agileware for reporting the issue
Coleman Watts of CiviCRM for fixing the issue
