OK, to clarify – I do not have ANY plugins currently installed. */poka_v2/js/vendor/jquery-1.11.3.min.js <— looks like there is something the poka theme uses.
This is all over my head, so given your answer, I will just conclude that the issue is not going to be fixed and I’ll use a theme from elsewhere that does not give off alerts to vulnerabilities.