Insecure Randomness security vulnerability in RoboHelp Version 2020.7.46

Report · May 03, 2022

Our Security team performed a Fortify SCA scan of our source code and found some security vulnerabilities relating to some of our RoboHelp files. I need help fixing this issue. Only related post I saw was a suggested patch for RH 2015.

The files that are problematic are common.min.js, layout.min.js, rh.min.js, and topic.min.js.

Can anyone help?

Report · May 03, 2022

You'll need to contact the RH folks directly on that one - usually these are false alarms, but only they can tell you if there's really an issue. See https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your Adobe Support options. I'd recommend using the tcssup@adobe.com e-mail address as it reaches a team dedicated to Technical Communication Suite products including RoboHelp.

Report · Jun 09, 2022

Did you reach out to tcssup@adobe.com? I'm in the same situation and would love to hear if you came to a resolution. Thank you.

Report · Jun 09, 2022

@Sleant - I'd e-mail them yourself with the details you've got - your situation may not match the OP's.
[Edit] - From reports on the web, it appears that Fortify freaks out over any use of a math.random js function - which is used in the js files noted in the OP's post, but not in any security or cryptographic function. So I'd highly suspect an over-reaction.

Report · Jun 09, 2022

Thank you, Jeff. We did, but it's been about 6 weeks with no real resolution. Replying here in hopes that OP may have had resolved her issue.

Report · Jun 09, 2022

Hi there! OP here! No-- no resolution, and no response from Adobe. I just got an email on Sunday that the case was closed and I have requested a call because I did not get any details or resolution. I've been trying to get help/resolution for 2 months.

Report · Jun 09, 2022

Oh no. I'm sorry to hear that. Sounds like we're both in the same situation. I will report back here if I hear anything. Right now, we're trying to get approval to send a sample zip file to them because our Outlook IT folks won't allow a zip attachement.

Report · Jun 09, 2022

The usual way to get around that is to zip it, then rename it to something non-zip and send instructions on converting it back.

Report · Jun 09, 2022

Tried that muliple times with different extension name and it didn't go through. Really appreciate your help as always, Jeff.

Report · Jun 09, 2022

I have raised this with an Adobe contact. Hopefully you will hear something.

________________________________________________________

My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

Help others by clicking Correct Answer if the question is answered. Found the answer elsewhere? Share it here. "Upvote" is for useful posts.

Report · Jun 09, 2022

That is amazing, Peter. Thank you so much for doing that for us. Fingers crossed.

Report · Jun 10, 2022

Support will be contacting you.

________________________________________________________

My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

Help others by clicking Correct Answer if the question is answered. Found the answer elsewhere? Share it here. "Upvote" is for useful posts.

Report · Jun 10, 2022

Yes! They did. Thank you so much, Peter. They said me this:

"This is regarding to the RoboHelp vulnerability issue you reported on Forums. We have identified the issue and team is working on it. The fix to this issue will be the part of RoboHelp update 8 which is coming out soon."

Report · Jun 10, 2022

Yes-- I got the same information today too. I really appreciate the escalation of this-- I've found such great assistance using this forum!

Report · Jun 20, 2022

I'm following this post because we are also having security issues via a scan. I posted before I saw this one and am trying to get additional details from our IT folks to address it with TCS Support.

Please post when you have any updates.

Thank you!

Tonya

Report · Jun 20, 2022

Adobe informed me that the update 8 that is expected to address this should be released at the end of this month, June 2022.

Report · Jul 05, 2022

I just check, update 8 is now available to download. So, I'm going through it with IT department to download. Will report back my progress.

Report · Jul 05, 2022

I downloaded it last week and our deployment team says it did NOT fix the issue with insecure randomness.

Report · Jul 06, 2022

@jenniferc89874448 - then you definitely need to contact the RH folks about what your deployment team thinks is still wrong about it.

Report · Jul 06, 2022

Hi jenniferc89874448,

We got an issue reported regarding vulnerabilities in the responsive output.
Upon further investigation and running checkmarx SAST tool we did find out vulnerabilities of high impact but all of them were related to DOM XSS, which we fixed in update 8. Rest were either false positive or medium/low and we did not take those.

Report · Aug 15, 2022

Hello Sudhanshu - We got update 8 and published. Our high vulnerability files are "whtopic.js" and "mhtopic.js". Do you know how we can address this issue? Our scanning tool is also Checkmarx. Any help is greatly appreciated.

Report · Aug 15, 2022

@Sleant what in particular did it have an issue with in those 2 JS files?

Report · Aug 15, 2022

I had a look in my RH2020 test output and can't find those files. The publish process doesn't remove unused or deleted files from the server, so could those two files be relics of old RH uploads?

Report · Sep 07, 2022

I think I just found the solution (at least for me). I deleted the .js folder inside the source folder (.../sourcefiles/contents/assets/js/*. Then I republished as html5 with Azure_Blue skin and it did not published the .js folder and any .js files within. Hope this helps someone.

Report · Sep 07, 2022

Ooooh! Thanks for this! I will give it a try.