Skip to main content
A
Anonymous
February 26, 2014
질문

xss vulnerabilities in Robohelp 10.0.0.287

  • February 26, 2014
  • 1 답변
  • 776 조회

I've searched on xss vulnerabilities but did not find anything about "document.write(strHtml)". Can anyone tell me is this due to usage of frames or another reason? ---thanks


이 주제는 답변이 닫혔습니다.

1 답변

Jeff_Coatsworth
Community Expert
Jeff_CoatsworthCommunity Expert
Community Expert
February 26, 2014

Try running an update – you should be at 10.0.1.292

A
Anonymous
February 26, 2014
Jeff, thank you for the quick reply. I had already applied the 10.0.1 update and the security bulletin below that. I don't find an upgrade to 10.0.1.292. The last link below has some additional links. Do you know if the suggested upgrade is one of those (or should I just apply all of them?)?

These have been applied

The Adobe® RoboHelp® 10.0.1 update fixes critical bugs that were found in Adobe RoboHelp 10 software.
http://www.adobe.com/support/robohelp/downloads.html

XSS vulnerability fix

http://www.adobe.com/support/security/bulletins/apsb13-24.html


Additional Updates Found Here (but not specifically stated for 10.0.1.292)

http://wvanweelden.eu/articles/robohelp-patches-and-updates

Willam van Weelden
Willam van Weelden
Inspiring
February 27, 2014

Thanks. Haha. That was too easy.

We updated the PC, republished and get the same "document.write(strHtml)" error. Any other thoughts?

fyi, we also get multiple, similar errors already documented in http://forums.adobe.com/message/5392138#5392138

but it seems that is not a valid error by the opinion of the responder. We got these before too before the latest upgrade from 10.0.0.287 but I just thought I would mention it.


Where does this error occur? Some tools report XSS vulnerabilities that

not really classify as such.

The errors mentioned in the link are a mechanism for breadcrumbs. It

makes sure that the correct page in the TOC is highlighted when a topic

is used multiple times. It doesn't seem a real issue to me, but I'm no

security expert. The script just redirects the topic to itself with a

different parameter. No cross domain requests there.

If your security advisor thinks it is a real vulnerability, please file

a bug report on

https://www.adobe.com/cfusion/mmform/index.cfm?name=wishform&product=12

Kind regards,

Willam

약관 및 조건Accessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices