diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index ac752f1458..aa59cc8181 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -442,7 +442,7 @@
 					}
 				}
 
-				var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(item => item.trim()) : [];
+				var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : [];
 				if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
 					messages.push({
 						msg: t('core', 'The "{header}" HTTP header doesn\'t contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',