Skip to main content
B
BillAlbing
Participant
June 4, 2015
Question

More Cross-Site Scripting vulnerabilities in .js files in RoboHelp 9

  • June 4, 2015
  • 1 reply
  • 347 views

Adobe Customer Support tells me that RoboHelp version 9 is no longer updated and that I need to ask on this forum if there is any solution to the problems of Cross-Site Scripting vulnerabilities (discovered by the IT group's scanning our web app that includes the WebHelp generated by RoboHelp). There are problems with these two JavaScript files:  whphost.js and whutils.js. If there are not any updates to the product, does anyone have a recommendation for handling these vulnerabilities? Does anyone know of any work-arounds?

This topic has been closed for replies.

1 reply

Jeff_Coatsworth
Community Expert
Jeff_CoatsworthCommunity Expert
Community Expert
June 4, 2015

See this thread - https://forums.adobe.com/message/5388554#5388554 and others like it.

You need to identify the specific issue your security audit is freaking out about and check to see if any changes have been made in newer versions of RH. If there haven’t been any changes, you need to contact Adobe Tech Support with your specific concerns.

B
BillAlbingAuthor
Participant
June 4, 2015

Thanks, Jeff.
Yeah, I've seen that thread and for that vulnerability, there is a simple work-around.
But recently, a scan has highlighted these lines as vulnerabilities:

In the whphost.js file:

    37    this.show = function(bShow)

    43    this.load();

    83    this.load = function()

    88    var strFile = _getFullPath(getPath(), this.msComFile);

    94    var sHTML = "<IFRAME ID=" ...;

    98    sHTML += "100%; height:100%;\"></IFRAME>";

    166    for (var s = 0; s < this.maCom.length; s++)

    171    this.maCom[nId].show(true);

    204    function getPath()

    208    gsPath =  location.href;

    213    return gsPath;

In the whutils.js file:

    92    function _getHost(sPath)

    103    return sPath;

    106    function _getFullPath(sPath, sRelPath)

    111    return _getHost(sPath) + sRelPath;

This is starting to look too complicated for a simple work-around.
How would I check to see if these are handled in any versions 10 or 11?

Jeff_Coatsworth
Community Expert
Jeff_CoatsworthCommunity Expert
Community Expert
June 4, 2015

I’d find a non-production machine and download a trial copy, then have a look at the template js files you’re interested in. Have you investigated the HTML5 output to see if it satisfy your security guys?

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices