• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers

Insecure Randomness security vulnerability in RoboHelp Version 2020.7.46

Community Beginner ,
May 03, 2022 May 03, 2022

Copy link to clipboard

Copied

Our Security team performed a Fortify SCA scan of our source code and found some security vulnerabilities relating to some of our RoboHelp files. I need help fixing this issue. Only related post I saw was a suggested patch for RH 2015. 

 

The files that are problematic are common.min.js, layout.min.js, rh.min.js, and topic.min.js. 

 

Can anyone help?

Views

458

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 03, 2022 May 03, 2022

Copy link to clipboard

Copied

You'll need to contact the RH folks directly on that one - usually these are false alarms, but only they can tell you if there's really an issue. See https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your Adobe Support options. I'd recommend using the tcssup@adobe.com e-mail address as it reaches a team dedicated to Technical Communication Suite products including RoboHelp.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Did you reach out to tcssup@adobe.com? I'm in the same situation and would love to hear if you came to a resolution. Thank you. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

@Footbagkicker - I'd e-mail them yourself with the details you've got - your situation may not match the OP's.
[Edit] - From reports on the web, it appears that Fortify freaks out over any use of a math.random js function - which is used in the js files noted in the OP's post, but not in any security or cryptographic function. So I'd highly suspect an over-reaction.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Thank you, Jeff. We did, but it's been about 6 weeks with no real resolution. Replying here in hopes that OP may have had resolved her issue.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Hi there! OP here! No-- no resolution, and no response from Adobe. I just got an email on Sunday that the case was closed and I have requested a call because I did not get any details or resolution. I've been trying to get help/resolution for 2 months.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Oh no. I'm sorry to hear that. Sounds like we're both in the same situation. I will report back here if I hear anything. Right now, we're trying to get approval to send a sample zip file to them because our Outlook IT folks won't allow a zip attachement. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

The usual way to get around that is to zip it, then rename it to something non-zip and send instructions on converting it back.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Tried that muliple times with different extension name and it didn't go through. Really appreciate your help as always, Jeff.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

I have raised this with an Adobe contact. Hopefully you will hear something.

________________________________________________________

My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

 

Help others by clicking Correct Answer or Like if helpful. Found your answer elsewhere? Share it here.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

That is amazing, Peter. Thank you so much for doing that for us. Fingers crossed.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

Support will be contacting you.

________________________________________________________

My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

 

Help others by clicking Correct Answer or Like if helpful. Found your answer elsewhere? Share it here.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

Yes! They did. Thank you so much, Peter. They said me this:

"This is regarding to the RoboHelp vulnerability issue you reported on Forums. We have identified the issue and team is working on it. The fix to this issue will be the part of RoboHelp update 8 which is coming out soon."

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

Yes-- I got the same information today too. I really appreciate the escalation of this-- I've found such great assistance using this forum! 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 20, 2022 Jun 20, 2022

Copy link to clipboard

Copied

I'm following this post because we are also having security issues via a scan. I posted before I saw this one and am trying to get additional details from our IT folks to address it with TCS Support.

 

Please post when you have any updates.

 

Thank you!

Tonya

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 20, 2022 Jun 20, 2022

Copy link to clipboard

Copied

Adobe informed me that the update 8 that is expected to address this should be released at the end of this month, June 2022. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jul 05, 2022 Jul 05, 2022

Copy link to clipboard

Copied

I just check, update 8 is now available to download. So, I'm going through it with IT department to download. Will report back my progress.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jul 05, 2022 Jul 05, 2022

Copy link to clipboard

Copied

I downloaded it last week and our deployment team says it did NOT fix the issue with insecure randomness.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 06, 2022 Jul 06, 2022

Copy link to clipboard

Copied

@jenniferc89874448 - then you definitely need to contact the RH folks about what your deployment team thinks is still wrong about it.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jul 06, 2022 Jul 06, 2022

Copy link to clipboard

Copied

Hi jenniferc89874448,

We got an issue reported regarding vulnerabilities in the responsive output.
Upon further investigation and running checkmarx SAST tool we did find out vulnerabilities of high impact but all of them were related to DOM XSS, which we fixed in update 8. Rest were either false positive or medium/low and we did not take those.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Aug 15, 2022 Aug 15, 2022

Copy link to clipboard

Copied

Hello Sudhanshu - We got update 8 and published. Our high vulnerability files are "whtopic.js" and "mhtopic.js". Do you know how we can address this issue? Our scanning tool is also Checkmarx. Any help is greatly appreciated. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 15, 2022 Aug 15, 2022

Copy link to clipboard

Copied

@Footbagkicker what in particular did it have an issue with in those 2 JS files?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Aug 15, 2022 Aug 15, 2022

Copy link to clipboard

Copied

I had a look in my RH2020 test output and can't find those files. The publish process doesn't remove unused or deleted files from the server, so could those two files be relics of old RH uploads? 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Sep 07, 2022 Sep 07, 2022

Copy link to clipboard

Copied

I think I just found the solution (at least for me). I deleted the .js folder inside the source folder (.../sourcefiles/contents/assets/js/*. Then I republished as html5 with Azure_Blue skin and it did not published the .js folder and any .js files wjs-folder.pngithin. Hope this helps someone. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Sep 07, 2022 Sep 07, 2022

Copy link to clipboard

Copied

Ooooh! Thanks for this! I will give it a try.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
RoboHelp Documentation
Download Adobe RoboHelp