Cross-scripting errors in WebHelp output (RoboHelp 2015)

Question

After running a security scan of the product, the application developers reported DOM cross-scripting errors resulting from the online help. This is what the scan turned up:

DOM XSS Issue in the following files:
• Whstart.js -> document.location=document.location;
• whtbar.js -> top.location = strURL;
• whtopic.js -> window.location = strUrl
• whtopic_nc.js -> window.location = strMainPage.substring(0, indx+1) + "whcsh_home.htm#topicurl=" + strMainPage.substring(indx+1);

And also an open redirect issue in the following file:

whtbar.js -> top.location = strURL;

I am generating WebHelp using RoboHelp 2015 (version 12.0.2.384).

I was under the impression that the cross-site scripting errors existed in earlier versions of RoboHelp (8 and 9) and had been corrected in subsequent releases. My search of the RoboHelp forums did turn up a more recent post about similar issues with Responsive HTML 5 output, but that's not the output format I'm using.

Has anyone else recently experienced these errors in WebHelp? Does Adobe have a fix for this issue?

Captiv8r · Answer

Are you claiming these are errors that need addressing or possible security issues?

I've seen reports in the past where folks were wringing their hands because their IT or other folks were saying there were security threats from these cross-scripting issues. And to be honest, I've never once ever in my 20+ years of using the product heard of anyone actually successfully exploiting things. But I do understand it's a concern.

Personally, I'd file a bug on it or contact Adobe Support directly and see what they may say about it.

Cheers... Rick

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded