Has anyone else run into security issues with whstub.js, whproxy.js, whtopic.js, ehlpdhtm.js, and whfhost.js?

Forum|Forum|10 years ago
April 17, 2015
1 reply
1801 views

We have a customer's security team objecting to the files because of an issue with their "Overly Permissive Message Posting Policy." An example:

Has anyone else run into this, and is there anything we can do to reduce the threat assessment?

This topic has been closed for replies.

Captiv8r

Legend

Perhaps try using Responsive HTML as an output type?

Willam van Weelden

Inspiring

Even then there's still a lot of messages going forward and the ehlpdhtm.js is shared across outputs.

But the postMessage option used is safe since you need to write code specifically for getting these messages. No hijacking can just be done through this. (See also Window.postMessage() - Web API Interfaces | MDN)

The concern here is the domain policy in the call where the * is too permissive. But since the help can be placed on any given URL, there is no way for Adobe to do it differently. Personally, I don't believe this is an issue as postMessage is meant for secure communication and it's not something you can just hijack.

jeffreywhAuthor

Participating Frequently

I will pass that along. I'm not in direct contact with the customer's security people, so I don't know their level of concern beyond what was passed to me.

In any case, thanks!

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded