Insecure Randomness security vulnerability in RoboHelp Version 2020.7.46

Community Beginner ,
May 03, 2022 May 03, 2022

Copy link to clipboard

Copied

Our Security team performed a Fortify SCA scan of our source code and found some security vulnerabilities relating to some of our RoboHelp files. I need help fixing this issue. Only related post I saw was a suggested patch for RH 2015. 

 

The files that are problematic are common.min.js, layout.min.js, rh.min.js, and topic.min.js. 

 

Can anyone help?

Views

198

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
May 03, 2022 May 03, 2022

Copy link to clipboard

Copied

You'll need to contact the RH folks directly on that one - usually these are false alarms, but only they can tell you if there's really an issue. See https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your Adobe Support options. I'd recommend using the tcssup@adobe.com e-mail address as it reaches a team dedicated to Technical Communication Suite products including RoboHelp.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Did you reach out to tcssup@adobe.com? I'm in the same situation and would love to hear if you came to a resolution. Thank you. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

@weet6328245 - I'd e-mail them yourself with the details you've got - your situation may not match the OP's.
[Edit] - From reports on the web, it appears that Fortify freaks out over any use of a math.random js function - which is used in the js files noted in the OP's post, but not in any security or cryptographic function. So I'd highly suspect an over-reaction.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Thank you, Jeff. We did, but it's been about 6 weeks with no real resolution. Replying here in hopes that OP may have had resolved her issue.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Hi there! OP here! No-- no resolution, and no response from Adobe. I just got an email on Sunday that the case was closed and I have requested a call because I did not get any details or resolution. I've been trying to get help/resolution for 2 months.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Oh no. I'm sorry to hear that. Sounds like we're both in the same situation. I will report back here if I hear anything. Right now, we're trying to get approval to send a sample zip file to them because our Outlook IT folks won't allow a zip attachement. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

The usual way to get around that is to zip it, then rename it to something non-zip and send instructions on converting it back.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

Tried that muliple times with different extension name and it didn't go through. Really appreciate your help as always, Jeff.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

I have raised this with an Adobe contact. Hopefully you will hear something.

________________________________________________________

My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

 

New Users: Default forum names can be changed in your Account Settings.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 09, 2022 Jun 09, 2022

Copy link to clipboard

Copied

That is amazing, Peter. Thank you so much for doing that for us. Fingers crossed.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

Support will be contacting you.

________________________________________________________

My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

 

New Users: Default forum names can be changed in your Account Settings.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

Yes! They did. Thank you so much, Peter. They said me this:

"This is regarding to the RoboHelp vulnerability issue you reported on Forums. We have identified the issue and team is working on it. The fix to this issue will be the part of RoboHelp update 8 which is coming out soon."

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 10, 2022 Jun 10, 2022

Copy link to clipboard

Copied

Yes-- I got the same information today too. I really appreciate the escalation of this-- I've found such great assistance using this forum! 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 20, 2022 Jun 20, 2022

Copy link to clipboard

Copied

I'm following this post because we are also having security issues via a scan. I posted before I saw this one and am trying to get additional details from our IT folks to address it with TCS Support.

 

Please post when you have any updates.

 

Thank you!

Tonya

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 20, 2022 Jun 20, 2022

Copy link to clipboard

Copied

Adobe informed me that the update 8 that is expected to address this should be released at the end of this month, June 2022. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
7 hours ago 7 hours ago

Copy link to clipboard

Copied

I just check, update 8 is now available to download. So, I'm going through it with IT department to download. Will report back my progress.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
2 hours ago 2 hours ago

Copy link to clipboard

Copied

LATEST

I downloaded it last week and our deployment team says it did NOT fix the issue with insecure randomness.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
RoboHelp Documentation
Download Adobe RoboHelp