fix: update MathJax CDN from 2.7.5 to 2.7.9 (CVE-2023-39663)

[jignaciopm]

Summary

MathJax 2.7.5 is vulnerable to ReDoS (Regular Expression Denial of Service) via CVE-2023-39663. This updates all CDN references from jsdelivr to use MathJax 2.7.9 which includes the fix.

CVSS: 5.4 (Medium)
Vulnerability ID: HELICOPTER-W1162-8

Files changed

All 8 files that hardcode the MathJax CDN URL have been updated from mathjax@2.7.5 to mathjax@2.7.9:

• common/templates/mathjax_include.html
• common/templates/xblock_v2/xblock_iframe.html
• cms/static/cms/js/require-config.js
• cms/djangoapps/pipeline_js/js/xmodule.js
• common/static/common/js/discussion/mathjax_include.js
• lms/static/lms/js/spec/main.js
• cms/static/cms/js/spec/main.js
• cms/static/cms/js/spec/main_squire.js

Test plan

• Verify LaTeX formulas render correctly in LMS course content
• Verify formulas render in Studio preview
• Verify formulas render in discussion forums
• Verify xblock v2 iframe content renders formulas

References

• CVE-2023-39663
• MathJax 2.7.9 Release Notes

[jignaciopm]

CI failures are pre-existing — not caused by this PR

The two CI failures in this PR are not related to the MathJax CDN URL update:

1. Karma test: Mismatched anonymous define() module

This is a pre-existing RequireJS/jQuery loading order issue in CMS Karma tests. It is already documented in openedx/edx-platform#35956 and the CI output itself references it:

WARNING: Skipped broken webpack tests. For details, see: https://github.com/openedx/edx-platform/issues/35956

2. pip install: loremipsum / ModuleNotFoundError: No module named 'pkg_resources'

The loremipsum==1.0.5 package uses pkg_resources from setuptools in its setup.py, which is no longer available by default in Python 3.12+ build environments. This is a pre-existing dependency issue unrelated to this PR.

What this PR changes

Only CDN URL strings: mathjax@2.7.5 → mathjax@2.7.9 in 8 files. No JavaScript logic, no Python code, no dependency changes.