Vulnerability with Push Requests with Atmosphere

Hello all,

our application is configured to work with push. The requests to the app server look like the following

https://skip.dot.com/app/PUSH?skip=stuff&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.2.13.vaadin3-jquery&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application%2Fjson%3B%20charset%3DUTF-8&X-atmo-protocol=true&_=123456789

The X-Atmosphere-Framework parameter reveals a concrete implementation (version 2.2.13.vaadin3-jquery) which has been pointed out in a security audit as something one should avoid (or remove, in our case). (By the way, Vaadin has others, e.g. https://skip.dot.com/app/VAADIN/vaadinPush.js?v=7.6.4)

My question is whether it’s possible to configure the application to use another framework. Or if there’s an entry point we could implement to avoid passing around of version numbers? Has Vaadin been updated to use a newerversion of Atmosphere, as 2.2 has already reached “end-of-life” (https://github.com/Atmosphere/atmosphere).

Any hints are welcome.

Thanks in advance!

Cheers

Tupi