DOM Based Cross-Site Scripting issue in RoboHelp 10

Report · Jun 07, 2013

We're using a WebHelp system originally deplyed using RoboHelp 9.0.2.271, and a recent security scan revealed the DOM based cross-site scripting issue.

I recently upgraded to RoboHelp 10, migrated my help system to this version, and redeployed the system, but our security scan is still detecting the cross-scripting vulnerability in WebHelp. Wasn't this issue resolved in RoboHelp 10?

Thanks

Report · Jun 07, 2013

You should contact Adobe Support with your concerns and specifics of the issue your security guys are finding. You may have to use the Multiscreen HTML5 SSL to get around issues with frames.

Report · Jun 09, 2013

Hi,

What XSS vulnerability are you talking about? It’s hard to know whether an issue is fixed when we don’t know what issue you’re talking about.

Greet,

Willam

Report · Jun 10, 2013

Here's an example of one of the issues the security scan caught:

Report · Jun 17, 2013

Hi,

I’m not a security expert, but this script reads the URL of the current topic and redirects to the current topic with a bookmark. This is needed for when the same topic is used in multiple locations in the TOC.

I’ll ask around about this security issue.

Greet,

Willam

Report · Jun 24, 2013

Hi,

Thanks for reporting this issue.

We have investigated this.

Different penetration testing tools report this differently.

The code is, if "bc-" is found in the URL then it takes left part of URL, which anyway will have current domain.

We checked, it is not a cross-scripting vulnerability issue. Please let us know if you found some real threat.

Thanks

RoboHelp Engineering Team