There is a known issue, however, it is not a particularly significant one.
The issue in question is here: https://github.com/jquery/jquery/issues/2432
The long explanation is a bit complicated, but essentially, if some javascript code calls jQuery to get data from a site on another domain, and that domain then returns javascript, then that javascript can get executed in the context of that page.
There are easy mitigations that javascript authors can do to avoid this, such as passing the proper datatype to jquery calls that they make. This is generally pretty easy and a lot of code mitigates it quite well.
As for why WordPress has not addressed it, this is because the problem is fixed in jQuery 3.0 and up, but jQuery 3.0 and up is not backwards compatible with jQuery 1.12.4. So, simply replacing the jQuery library in WordPress would basically break all plugins and themes that use jQuery itself.
A problem like this is unlikely to actually affect your site in any way, unless you use badly made themes or plugins. And realistically, when jQuery code wants to get data from other sites that use javascript, then they tend to use the JSONP request formats, which essentially does this exact same thing, only intentionally instead of by accident. So, it’s an unlikely issue to crop up in the first place.
