RoboHelp 9 - Enabling the cookie secure flag

Question

Hello All - Have a question about RoboHelp 9 and a security vulnerability. We discovered a vulnerability in the webhelp output we produce so I am starting here. The site requires authentication and then passes it into the page, so we believe that RoboHelp uses frames within its framework. The use of frames in authenticated sites is not recommended and as mentioned is a security vulnerability.

The new version fixes the cross-site scripting vulnerability involving the query string (example.paychex.com/path?XSS) but introduces an equivalent vulnerability with the URL hash tag (example.site.com/path#XSS). Normally, anything after the hash tag is considered a “fragment identifier”, which is a reference to some position in the document. Seems the vulnerability is due to the enabling cookie secure flag.

Has anyone heard of this?

Thanks.
Chris

Praful_Jain · Answer

hi Chris,Adobe RoboHelp team is looking into issue, and will keep the user forum updated of the progress. In the mean time, can you please provide the following informationWebserver configuration where the help output is publishedAuthentication mechanism used by the webserver.Sample URL which contains XSS which on click shows some alert message or other vulnerability.ThanksPraful JainAdobe RoboHelp Team

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded