whnjs.htm javascript file and cross-site scripting - security concerns

Report · May 22, 2013

Hello. Our internal auditors found a serious security issue because of a javascript file generated by RoboHelp in the WebHelp output. The file they identified was whnjs.htm. Here's the description:

This page has javascript which sets a frame on the page to the hash of the URL. This can be used as an

injection point for cross site scripting.

POC: https://xxx.xxx/WebHelp/whnjs.htm#javascript:alert(1) //

Internet Explorer only.

Does this mean anything to anyone here? I'm using RH9. I'm hoping just an upgrade to v11 will fix this, as I can easily justify that cost with an issue like this.

Thanks, Josh

Report · May 23, 2013

Well, there's no RH11 (yet) - RH10 is as high as it gets currently. There have been other posts about security issues and Javascript, but to do away with frames, you probably need to generate the new Multiscreen HTML5 help.

Report · May 28, 2013

Hi,

I've contacted Adobe about this issue and here is their reaction:

RH parses the URL to ensure this in relative path in Webhelp folder. Then it open that file path in that frame. If path is not as expected it opens default topic.

For example given below (https://xxx.xxx/WebHelp/whnjs.htm#javascript:alert(1) ) opens default topic.

This does not seem XSS vulnerability issue.

Please let us know if any one observed more than this.

It seems that this isssue is not an XSS vulnerability. You can respond to this question and I can relay any further questions/remarks.

Greet,

Willam

Adobe Community

whnjs.htm javascript file and cross-site scripting - security concerns