Is Javascript a security threat?

Forum|Forum|12 years ago
March 19, 2013
2 replies
2342 views

The IT dept of a potential client has identified some of the Javascript in my Webhelp output as a potential security threat for cross-site scripting.

Could someone please answer the following questions about the following code block?

What is its purpose?

Can all, or part of it be deleted? (And if so, please provide excruciatingly detailed instructions for removing javascript or minimising it in my output files.)

Do you think that the javascript in webhelp constitutes a security threat?

I am using RoboHelp 8 & don't know nothin' bout no javascript. This objection has never arisen before.

The code block (and especially the if statements about two different windows)

if (window.gbWhTopic)
{
var strUrl = document.location.href;
var bc = 0;
var n = strUrl.toLowerCase().indexOf("bc-");
if(n != -1)
{
document.location.href = strUrl.substring(0, n);
bc = strUrl.substring(n+3);
}

if (window.addTocInfo)
{

}
if (window.writeBtnStyle)
writeBtnStyle();

if (window.writeIntopicBar)
writeIntopicBar(0);

if (window.setRelStartPage)
{
setRelStartPage("Acco_3.htm");

autoSync(1);
sendSyncInfo();
sendAveInfoOut();
}
}
else
if (window.gbIE4)
document.location.reload();

Thanks for any enlightenment,

John

HTML

This topic has been closed for replies.

C

Cynthia Pao

Inspiring

A security audit has identified the JavaScript in my Responsive HTML output, too. The difference is that I'm using RoboHelp 2015.

Yes, I've read through the thread. What is the correct way to turn it off in RH2015, and what are the consequences?

Thank you,

Cindy

Jeff_Coatsworth

Community Expert

AFAIK there's no way to turn off JavaScript being in your HTML5 output - disabling it in the browser would just make it not work. Is there some particular code that the audit is having an issue with? Maybe you need to check with Adobe about it and see if they have an option for you.

Captiv8r

Legend

Hi John

Here's the deal. With RoboHelp, you create HTML topic pages. And when it's time to create output, you choose the output type and create it. From what I've seen of your code, I'm guessing that you created WebHelp output. In WebHelp output, as the WebHelp is generated each topic is copied from the hard drive into memory and modified. Exactly HOW the topics are modified depends on the options you have selected in the Single Source Layout (SSL) recipe. The options govern which different bits of JavaScript code are added and inserted into the topic. The modified version of the topic is then saved to the folder location specified in the SSL recipe.

One of the options is called "Show Navigation Pane Link in Topics".

With this option enabled, the JavaScript code written into the topic performs a "sniff test" to ask: "Am I being presented within my WebHelp frameset?" and if the answer is no, code is written into the topic that provides the end user a link that reloads the topic within the WebHelp frameset when the user clicks it.

I do know that a year or two back, some sort of "cross site scripting vulnerability" was discovered, but I believe Adobe issued a patch shortly after the discovery that addressed it.

My guess here is that while it may look bad, what you are seeing is pretty innocuous and nothing to be concerned about.

Cheers... Rick