The bundled jquery version is 1.12.4 and anything below 3.5.0 is susceptible to XSS attacks. Installing security patches did not fix the issue...
Apparently the version of jquery triggering a vulnerability to our security scan is contained in
C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\spark-core_2.11-2.4.4.jar
C:\Program Files\ArcGIS\Server\framework\lib\shared\hadoop-yarn-common-2.7.3.jar
C:\Program Files\ArcGIS\Server\framework\lib\shared\scala-compiler-2.11.12.jar
C:\Program Files\ArcGIS\Server\framework\lib\shared\spark-core_2.11-2.4.4.jar
C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\Hadoop-yarn-common-2.9.2.jar
C:\Program Files\ArcGIS\Server\framework\runtime\spark\jars\scala-compiler-2.11.12.jar