Copy link to clipboard
Copied
We're using a WebHelp system originally deplyed using RoboHelp 9.0.2.271, and a recent security scan revealed the DOM based cross-site scripting issue.
I recently upgraded to RoboHelp 10, migrated my help system to this version, and redeployed the system, but our security scan is still detecting the cross-scripting vulnerability in WebHelp. Wasn't this issue resolved in RoboHelp 10?
Thanks
Copy link to clipboard
Copied
You should contact Adobe Support with your concerns and specifics of the issue your security guys are finding. You may have to use the Multiscreen HTML5 SSL to get around issues with frames.
Copy link to clipboard
Copied
Hi,
What XSS vulnerability are you talking about? It’s hard to know whether an issue is fixed when we don’t know what issue you’re talking about.
Greet,
Willam
Copy link to clipboard
Copied
Here's an example of one of the issues the security scan caught:
Copy link to clipboard
Copied
Hi,
I’m not a security expert, but this script reads the URL of the current topic and redirects to the current topic with a bookmark. This is needed for when the same topic is used in multiple locations in the TOC.
I’ll ask around about this security issue.
Greet,
Willam
Copy link to clipboard
Copied
Hi,
Thanks for reporting this issue.
We have investigated this.
Different penetration testing tools report this differently.
The code is, if "bc-" is found in the URL then it takes left part of URL, which anyway will have current domain.
We checked, it is not a cross-scripting vulnerability issue. Please let us know if you found some real threat.
Thanks
RoboHelp Engineering Team