We have been running pen tests looking for vulnerabilites on applications my company has created in order to be PCI certified. I built webhelp systems for these applications using RoboHTML v9.
The pen test has indicated that ehlpdhtm.js is suspect with the following message:
WebInspect detected the use of an ActiveX object. This could indicate a vulnerability is present if a vulnerable public version of the Microsoft Active Template was utilized. There are three vulnerabilities in the public versions of the Microsoft Active Template Library (ATL) included with Visual Studio. Applications and components created with these versions of ATL are vulnerable to remote code execution and information disclosure attacks. Visual Studio itself is not vulnerable to these issues. In these three vulnerabilities, ATL processes data incorrectly which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. After Visual Studio is patched, it will no longer create applications and components with these vulnerabilities. However, applications and components compiled using the vulnerable version of ATL need to be rebuilt with the safe version released by Microsoft. Recommendations include applying any relevant service pack or patch as listed in the Fix section, then recompiling and redistrubiting any software created prior to the update. If you have already applied the proper fix, then this vulnerability can safely be ignored.
Explanation
Any application compiled using the vulnerable active template could be subject to code execution and information disclosure vulnerabilities.
What is the latest version of the ehlpdhtm.js file?
The copyright inside the file is:
// Dynamic HTML JavaScript
// Copyright © 1998-2009 Adobe Systems Incorporated. All rights reserved.
// Version=8.0
If this is not the latest version, is there somewhere I can get the latest file? If not, I won't be able to use the dynamic html features of RoboHTML.
1
Reply
AdChoices