Has anyone else run into security issues with whstub.js, whproxy.js, whtopic.js, ehlpdhtm.js, and whfhost.js?

Report · Apr 17, 2015

We have a customer's security team objecting to the files because of an issue with their "Overly Permissive Message Posting Policy." An example:

Has anyone else run into this, and is there anything we can do to reduce the threat assessment?

Report · Apr 18, 2015

Perhaps try using Responsive HTML as an output type?

Report · Apr 20, 2015

Even then there's still a lot of messages going forward and the ehlpdhtm.js is shared across outputs.

But the postMessage option used is safe since you need to write code specifically for getting these messages. No hijacking can just be done through this. (See also Window.postMessage() - Web API Interfaces | MDN)

The concern here is the domain policy in the call where the * is too permissive. But since the help can be placed on any given URL, there is no way for Adobe to do it differently. Personally, I don't believe this is an issue as postMessage is meant for secure communication and it's not something you can just hijack.

Report · Apr 20, 2015

I will pass that along. I'm not in direct contact with the customer's security people, so I don't know their level of concern beyond what was passed to me.

In any case, thanks!

Adobe Community

Has anyone else run into security issues with whstub.js, whproxy.js, whtopic.js, ehlpdhtm.js, and whfhost.js?