Help fix security vulnerability in RH Output

Question

We use the Responsive HTML5 output generated using Robohelp 2019. Our security team brought issues related to ehlpdhtm.js and mhtopic.js files.

For the ehlpdhtm.js file:

Unrestricted target for cross-origin message - A malicious site can intercept the message by changing the location of the window. In requestUpdateLinks: Sending a cross-origin message without restricting the origin that can receive it.
Unchecked origin of message event - An attacker can send arbitrary data via event messages, which may lead to DOM-XSS or other injection-based client-side security issues. In onRcvContentSizeMsg: A 'message' handler does not check the origin of its received message event.

In the mhtopic.js file:

URL manipulation - An attacker may access unintended server-side functionality or make the application access a malicious website. In setRelStartPage: Constructing an HTTP request URL using a user-controllable string.

Does anyone know how to fix this? Anything we can do when authoring the Help?

Peter Grainge · Answer

Assuming you get it with all patches applied, you will need to take this up with Adobe Support. See https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your Adobe Support options. The email link tcssup@adobe.com is recommended as it reaches a team dedicated to Technical Communication Suite products including RoboHelp.

99 times out of 100 that we see this on sort of post on the forum it is because of an over agressive checker but only Adobe can help.

________________________________________________________
See www.grainge.org for free Authoring and RoboHelp Information

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded