Inspiring

Question

Insecure Randomness security vulnerability in RoboHelp Version 2020.7.46

Forum|Forum|3 years ago
May 3, 2022
9 replies
1958 views

Our Security team performed a Fortify SCA scan of our source code and found some security vulnerabilities relating to some of our RoboHelp files. I need help fixing this issue. Only related post I saw was a suggested patch for RH 2015.

The files that are problematic are common.min.js, layout.min.js, rh.min.js, and topic.min.js.

Can anyone help?

This topic has been closed for replies.

A

Amebr

Adobe Expert

@Sleant if you have those files in your project source, it probably means that at some point someone accidentally generated the output into the source folder. Do you know if that was detected and cleaned up? If not, you might have some additional things to double-check .

Sleant

Inspiring

You're always right 🙂 What I didn't know was that the culprit could be from the source file (.../sourcefiles/contents/assets/js/*). I kept thinking it was the published files and folders. You're comment definitely guided me through my though process, so thank you as always.

Peter Grainge

Adobe Expert

Old files on the server is what @Amebr was pointing at in her post.

________________________________________________________

My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

Help others by clicking Correct Answer if the question is answered. Found the answer elsewhere? Share it here. "Upvote" is for useful posts.

Sleant

Inspiring

Absolutely! Thank you as always, Peter.

Sleant

Inspiring

I think I just found the solution (at least for me). I deleted the .js folder inside the source folder (.../sourcefiles/contents/assets/js/*. Then I republished as html5 with Azure_Blue skin and it did not published the .js folder and any .js files within. Hope this helps someone.

J

jenniferc89874448Author

Inspiring

Ooooh! Thanks for this! I will give it a try.

A

Amebr

Adobe Expert

I had a look in my RH2020 test output and can't find those files. The publish process doesn't remove unused or deleted files from the server, so could those two files be relics of old RH uploads?

T

Tonya Bov

Known Participant

I'm following this post because we are also having security issues via a scan. I posted before I saw this one and am trying to get additional details from our IT folks to address it with TCS Support.

Please post when you have any updates.

Thank you!

Tonya

J

jenniferc89874448Author

Inspiring

Adobe informed me that the update 8 that is expected to address this should be released at the end of this month, June 2022.

S

Sudhanshu Monga

Adobe Employee

I downloaded it last week and our deployment team says it did NOT fix the issue with insecure randomness.

Hi jenniferc89874448,

We got an issue reported regarding vulnerabilities in the responsive output.
Upon further investigation and running checkmarx SAST tool we did find out vulnerabilities of high impact but all of them were related to DOM XSS, which we fixed in update 8. Rest were either false positive or medium/low and we did not take those.

Peter Grainge

Adobe Expert

Support will be contacting you.

________________________________________________________

My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

Help others by clicking Correct Answer if the question is answered. Found the answer elsewhere? Share it here. "Upvote" is for useful posts.

Sleant

Inspiring

Yes! They did. Thank you so much, Peter. They said me this:

"This is regarding to the RoboHelp vulnerability issue you reported on Forums. We have identified the issue and team is working on it. The fix to this issue will be the part of RoboHelp update 8 which is coming out soon."

J

jenniferc89874448Author

Inspiring

Yes-- I got the same information today too. I really appreciate the escalation of this-- I've found such great assistance using this forum!

Peter Grainge

Adobe Expert

I have raised this with an Adobe contact. Hopefully you will hear something.

________________________________________________________

My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

Help others by clicking Correct Answer if the question is answered. Found the answer elsewhere? Share it here. "Upvote" is for useful posts.

Sleant

Inspiring

That is amazing, Peter. Thank you so much for doing that for us. Fingers crossed.

Sleant

Inspiring

Did you reach out to tcssup@adobe.com? I'm in the same situation and would love to hear if you came to a resolution. Thank you.

Jeff_Coatsworth

Adobe Expert

@Sleant - I'd e-mail them yourself with the details you've got - your situation may not match the OP's.
[Edit] - From reports on the web, it appears that Fortify freaks out over any use of a math.random js function - which is used in the js files noted in the OP's post, but not in any security or cryptographic function. So I'd highly suspect an over-reaction.

Sleant

Inspiring

Thank you, Jeff. We did, but it's been about 6 weeks with no real resolution. Replying here in hopes that OP may have had resolved her issue.

Jeff_Coatsworth

Adobe Expert

You'll need to contact the RH folks directly on that one - usually these are false alarms, but only they can tell you if there's really an issue. See https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your Adobe Support options. I'd recommend using the tcssup@adobe.com e-mail address as it reaches a team dedicated to Technical Communication Suite products including RoboHelp.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded