In jQuery 1.x, a malicious AJAX response can pollute the content of the "Object.prototype". jQuery 1.x no longer receives security updates, but CiviCRM now includes a patched version of jQuery 1.x (1.12.4-civicrm-1) derived from https://github.com/DanielRuf/snyk-js-jquery-174006/.
CiviCRM Versions 5.13.0 and earlier
CiviCRM version 5.13.4 and 5.7.6
Upgrade to the latest version of CiviCRM
Michał Gołębiowski-Owczarek and Daniel Ruf for the upstream patches.
John Kingsnorth of Camberidge University and John Kirk of CiviFirst for reporting the issue. Tim Otten of CiviCRM for backporting.