• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

More Cross-Site Scripting vulnerabilities in .js files in RoboHelp 9

New Here ,
Jun 04, 2015 Jun 04, 2015

Copy link to clipboard

Copied

Adobe Customer Support tells me that RoboHelp version 9 is no longer updated and that I need to ask on this forum if there is any solution to the problems of Cross-Site Scripting vulnerabilities (discovered by the IT group's scanning our web app that includes the WebHelp generated by RoboHelp). There are problems with these two JavaScript files:  whphost.js and whutils.js. If there are not any updates to the product, does anyone have a recommendation for handling these vulnerabilities? Does anyone know of any work-arounds?

Views

263

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 04, 2015 Jun 04, 2015

Copy link to clipboard

Copied

See this thread - https://forums.adobe.com/message/5388554#5388554 and others like it.

You need to identify the specific issue your security audit is freaking out about and check to see if any changes have been made in newer versions of RH. If there haven’t been any changes, you need to contact Adobe Tech Support with your specific concerns.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 04, 2015 Jun 04, 2015

Copy link to clipboard

Copied

Thanks, Jeff.
Yeah, I've seen that thread and for that vulnerability, there is a simple work-around.
But recently, a scan has highlighted these lines as vulnerabilities:

In the whphost.js file:

    37    this.show = function(bShow)

    43    this.load();

    83    this.load = function()

    88    var strFile = _getFullPath(getPath(), this.msComFile);

    94    var sHTML = "<IFRAME ID=" ...;

    98    sHTML += "100%; height:100%;\"></IFRAME>";

    166    for (var s = 0; s < this.maCom.length; s++)

    171    this.maCom[nId].show(true);

    204    function getPath()

    208    gsPath =  location.href;

    213    return gsPath;

In the whutils.js file:

    92    function _getHost(sPath)

    103    return sPath;

    106    function _getFullPath(sPath, sRelPath)

    111    return _getHost(sPath) + sRelPath;

This is starting to look too complicated for a simple work-around.
How would I check to see if these are handled in any versions 10 or 11?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jun 04, 2015 Jun 04, 2015

Copy link to clipboard

Copied

LATEST

I’d find a non-production machine and download a trial copy, then have a look at the template js files you’re interested in. Have you investigated the HTML5 output to see if it satisfy your security guys?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
RoboHelp Documentation
Download Adobe RoboHelp