Copy link to clipboard
Copied
Online help created by team is going through a security vulnerability check now. It has been found that after integration of webhelp with the application,document.location.href is a vulnerable point as per XSS cross site scripting. Please your thoughts and any methods you have that can contain this situation. Its urgent, please help.
You can update your copy through Help > Updates or from the web page: http://www.adobe.com/downloads/updates/
Copy link to clipboard
Copied
Can you start by telling us what version of RoboHelp you are using. There are some security patches available on the Adobe KB but without knowing your RH version I can't advise any further.
BTW please do not cross post. It helps no one. You may want to read the helpful tips before posting again. You can find them at http://forums.adobe.com/thread/467760?tstart=0
Copy link to clipboard
Copied
Hi RoboColum(n),
New to this forum so ddnt know much about the rules...apologize for that to start with. I am using robohelp 9, and also tried a patch
Vulnerability identifier: APSB07-10
CVE number: CVE-2007-1280
however it ddnt work for us. Please advise, as we cannot proceed with our product release without clearing this audit. thanks in advance for your time and patience.
Copy link to clipboard
Copied
the version is 9.0.1.262
Copy link to clipboard
Copied
No problem Sunil.
There is a RH9 patch available at http://www.adobe.com/support/security/bulletins/apsb11-23.html which you install. If you still get security issues after this I think you'll be on your own with Adobe. This is the only security issue they are aware of as far as I know.
Copy link to clipboard
Copied
Thanks RoboColum(n). Will try that patch and write back.
Copy link to clipboard
Copied
Isn't this about why Chrome will not run locally with a tripane window? If it is the same thing, keep in mind that Chrome (and maybe Opera?) are the only browsers to block that when run locally.
See www.grainge.org for RoboHelp and Authoring tips
Copy link to clipboard
Copied
Hello Sir,
We have been creating context sensitive webhelp for a payment domain product that has to go thorugh PA DSS certification. While doing audit for certification this vulnerablity of cross site scripting by document.location.href was visible. The output opens in a separate window though application mostly in IE. have tried the latest security patch APSB-11-23 available on adobe forum, however it didnot work for us.
The version used by us is 9.0.1.262. The patch says
RoboHelp 9 (versions 9.0.1.232 and earlier), RoboHelp 8, RoboHelp Server 9 and RoboHelp Server 8 for Windows
Note: Customers using RoboHelp 9 version 9.0.1.262 are not vulnerable to this issue.
However this issue persists in this version too. Please advise. Thanks in advance for your time, effort and patience.
Copy link to clipboard
Copied
You need to contact RH Technical Support and outline why you think the vulnerability still exists in your point version.
Copy link to clipboard
Copied
Hi RoboColum(n)
We applied the suggested patch and generated webhelp. The issue of document.location.href still persists. Thanks .
Copy link to clipboard
Copied
Have tried compiling webhelp with Robohelp 9.0.1.2.3.2 ( older version) with patch available. Is there any way i can test the vulnerablity internally before sharing helpfiles for audit.? Please suggest any VAPT testing tool names that can detect XSS vulnerablity. Thanks..
Copy link to clipboard
Copied
Latest patch level takes you to 9.0.2.271 AFAIK - try that. There's no tester within RH; I'd try googling to see if something exists out there. Didn't your auditors give you something to use?
Copy link to clipboard
Copied
Hi Jeff,
thanks for the suggestion, have used a VAPT tool to identify vulberablity. also the latest patch you mentioned, it is not available on adobe security bulletin link http://www.adobe.com/support/security/bulletins/apsb12-04.html. is it available some other link? if yes kindly share...thanks in advance.
Copy link to clipboard
Copied
You can update your copy through Help > Updates or from the web page: http://www.adobe.com/downloads/updates/
Copy link to clipboard
Copied
Thanks Jeff...life saver !