Skip to main content
takhlia
takhlia
Participating Frequently
April 23, 2019
Question

Security issue with robohelp postMessage

  • April 23, 2019
  • 1 reply
  • 3325 views

We use robohelp for online help.

A security scan of the product is reporting "HTML5: Overly Permissive Message Posting Policy" against Funtion:Window:postMessage in robohelp.

They do not like that a "*" is being used when sending messages via postMessage:

Is this a real problem?

Thanks

===

HTML5: Overly Permissive Message Posting Policy ( 11347 )

Summary

A broadcast of information to windows on the client-side using postMessage was observed. The postMessage function is one of the features of HTML5 that allows a window to send messages to another open window. The typical syntax of postMessage is window.postMessage(message, targetOrigin, [transfer]).

The message parameter contains the information to be shared and targetOrigin indicates the origin of the destination window. It is recommended to explicitly specify the targetOrigin intended for a particular message. While the function permits the use of a wildcard character (*) for the targetOrigin, allowing the message to be shared to any window, we strongly recommend avoiding this practice. If a malicious user injects a new window into the javascript’s execution context, then the new window will now be able to receive any information that is shared using the vulnerable postMessage construct.It is also important to validate any message that is received from another window to confirm that the sender was authorized to do so. This will avoid receiving unintended input from a malicious window.

Execution

Inspect all messages that are transferred between windows to check the targetOrigin of the function calls. In this particular case, the given stack trace represents the execution of javascript that led to the discovery of the vulnerability.

If the postMessage() is used to transmit sensitive information between windows, then an unauthorized window would be able to retrieve this information as well.

Implication

Fix

All data that is shared between windows must have explicit origins to avoid eavesdropping. It is recommended to avoid using “*” for the targetOrigin in order to prevent a broadcast of the information.

===

This topic has been closed for replies.

1 reply

Peter Grainge
Community Expert
Peter GraingeCommunity Expert
Community Expert
April 23, 2019

I have not seen anyone else report this but it is not something that RoboHelp users (those who support the forums) could really answer.

I think this is something for your IT people to take up as they will understand whether or not it is a real risk. Perhaps also approach whoever produced the scanning software.

See www.grainge.org for free RoboHelp and Authoring information.

@petergrainge

Use the menu (bottom right) to mark the Best Answer or Highlight particularly useful replies. Found the answer elsewhere? Share it here.
takhlia
takhliaAuthor
Participating Frequently
April 23, 2019

Thanks for responding Peter.

I was hoping that RoboHelp developers may be monitoring this forum and may respond.

Or a user might have run into this issue.

I did see a 5 year old message here  related to this issue but no real answer.

V
Adobe Employee
vikassingla
Adobe Employee
April 24, 2019

Hi takhlia,

Do you have detailed report for the security scan for this issue or related issues? Please share that report with us (you can send me private message).

Regards,

Vikas Singla

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices