HBase master branch is currently on Jetty 9.3, and latest Hadoop 3 (unreleased branches trunk, branch-3.2 and branch-3.1) bumped Jetty to 9.4 to address a vulnerability CVE-2017-9735.
(1) Jetty 9.3 and 9.4 are quite different (there are incompatible API changes) and HBase won't start on the latest Hadoop 3.
(2) In any case, HBase should update its Jetty dependency to address the vulnerability.
Fortunately for HBase, updating to Jetty 9.4 requires no code change other than the maven version string.
More tests are needed to verify if HBase can run on older Hadoop versions if its Jetty is updated.