I was asked by the security team to open a public issue for this, it's not an urgent security issue.

This CVE ID
https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Describes the following jQuery vulnerability

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

If you unpack the JRuby jar, jquery.js can be found here
META-INF/jruby.home/lib/ruby/stdlib/rdoc/generator/template/darkfish/js/jquery.js

In that file we see "jQuery v1.6.4".

CRuby recently fixed this by not shipping the jquery.js file anymore.
ruby/ruby@e82719c