Copy link to clipboard
Copied
Hi - We recently upgraded to Captivate 2019 to update some old video content. Our Fortify On-Demand (FOD) security scan has flagged two files with High and Critical security flaws. I've searched the forum but can't find any reference to these issues in a later version of Captivate. I had hoped that by upgrading we wouldn't have these issues.
We are using these HTML5 videos on our web site as standalone introductions to our app, not part of an LMS.
FILE: CPXHRLoader.js
ISSUE: High severity Cross-Site Scripting: DOM on line 37. (Read g.href - Assignment to g.innerHTML)
I assume this is the section of code:
(h.a[b]=g.href,t()):(g.innerHTML='@import "'+r+'";',s(g))
FILE: Index.html
ISSUE: Critical severity Open Redirect on line 55.
ISSUE: High severity Cross-Site Scripting: DOM on line 55. (Read request.response - Assignment to window.location.href)
window.location.href = window.location.protocol + "//" + window.location.host + "/livepreview/" + response.folder + "/index.html";
Copy link to clipboard
Copied
I received a private message on the forum to contact support via email, but have not heard back.
Note that someone sent the PM the same day (April 6), but it did not generate an email notification to me, and I only saw it when I logged back in two days later.