Has anyone else run into security issues with whstub.js, whproxy.js, whtopic.js, ehlpdhtm.js, and whfhost.js?

New Here ,
Apr 17, 2015

Copy link to clipboard

Copied

We have a customer's security team objecting to the files because of an issue with their "Overly Permissive Message Posting Policy." An example:


js error message.jpg

Has anyone else run into this, and is there anything we can do to reduce the threat assessment?

TOPICS
Classic, WebHelp

Views

1.3K

Likes

Translate

Translate

Report

Report
Reply
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
LEGEND ,
Apr 18, 2015

Copy link to clipboard

Copied

Perhaps try using Responsive HTML as an output type?

Likes

Translate

Translate

Report

Report
Reply
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
LEGEND ,
Apr 20, 2015

Copy link to clipboard

Copied

Even then there's still a lot of messages going forward and the ehlpdhtm.js is shared across outputs.

But the postMessage option used is safe since you need to write code specifically for getting these messages. No hijacking can just be done through this. (See also Window.postMessage() - Web API Interfaces | MDN)

The concern here is the domain policy in the call where the * is too permissive. But since the help can be placed on any given URL, there is no way for Adobe to do it differently. Personally, I don't believe this is an issue as postMessage is meant for secure communication and it's not something you can just hijack.

Likes

Translate

Translate

Report

Report
Reply
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
jeffreywh AUTHOR LATEST
New Here ,
Apr 20, 2015

Copy link to clipboard

Copied

I will pass that along. I'm not in direct contact with the customer's security people, so I don't know their level of concern beyond what was passed to me.

In any case, thanks!

Likes

Translate

Translate

Report

Report
Reply
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more