8 Replies Latest reply on Apr 8, 2013 11:27 AM by Willam van Weelden

    Is Javascript a security threat?

    John D 67995437 Level 1

      The IT dept of a potential client has identified some of the Javascript in my Webhelp output as a potential security threat for cross-site scripting.

       

      Could someone please answer the following questions about the following code block?

       

      • What is its purpose?

       

      • Can all, or part of it be deleted? (And if so, please provide excruciatingly detailed instructions for removing javascript or minimising it in my output files.)

       

      • Do you think that the javascript in webhelp constitutes a security threat?

      I am using RoboHelp 8 & don't know nothin' bout no javascript. This objection has never arisen before.

       

      The code block (and especially the if statements about two different windows)

       

      if (window.gbWhTopic)
      {
      var strUrl = document.location.href;
      var bc = 0;
      var n = strUrl.toLowerCase().indexOf("bc-");
      if(n != -1)
      {
        document.location.href = strUrl.substring(0, n);
        bc = strUrl.substring(n+3);
      }

      if (window.addTocInfo)
      {

      }
      if (window.writeBtnStyle)
        writeBtnStyle();

      if (window.writeIntopicBar)
        writeIntopicBar(0);


      if (window.setRelStartPage)
      {
      setRelStartPage("Acco_3.htm");

        autoSync(1);
        sendSyncInfo();
        sendAveInfoOut();
      }
      }
      else
      if (window.gbIE4)
        document.location.reload();

       

      Thanks for any enlightenment,

       

      John

        • 1. Re: Is Javascript a security threat?
          Captiv8r Adobe Community Professional & MVP

          Hi John

           

          Here's the deal. With RoboHelp, you create HTML topic pages. And when it's time to create output, you choose the output type and create it. From what I've seen of your code, I'm guessing that you created WebHelp output. In WebHelp output, as the WebHelp is generated each topic is copied from the hard drive into memory and modified. Exactly HOW the topics are modified depends on the options you have selected in the Single Source Layout (SSL) recipe. The options govern which different bits of JavaScript code are added and inserted into the topic. The modified version of the topic is then saved to the folder location specified in the SSL recipe.

           

          One of the options is called "Show Navigation Pane Link in Topics".

           

          tmp1.PNG

           

          With this option enabled, the JavaScript code written into the topic performs a "sniff test" to ask: "Am I being presented within my WebHelp frameset?" and if the answer is no, code is written into the topic that provides the end user a link that reloads the topic within the WebHelp frameset when the user clicks it.

           

          I do know that a year or two back, some sort of "cross site scripting vulnerability" was discovered, but I believe Adobe issued a patch shortly after the discovery that addressed it.

           

          My guess here is that while it may look bad, what you are seeing is pretty innocuous and nothing to be concerned about.

           

          Cheers... Rick

          • 2. Re: Is Javascript a security threat?
            John D 67995437 Level 1

            OK, thanks for your info Rick.

            • 3. Re: Is Javascript a security threat?
              Peter Grainge Adobe Community Professional (Moderator)

              You can avoid the use of frames using the new Multiscreen HTML5 output in Rh10.

               

              Use one of the desktop layouts there.

               


              See www.grainge.org for RoboHelp and Authoring tips

               

               

              @petergrainge

              • 4. Re: Is Javascript a security threat?
                John D 67995437 Level 1

                Great! Thanks Peter.

                • 5. Re: Is Javascript a security threat?
                  TanTurn

                  Hello,

                   

                  We too are experiencing this problem and need to get it to turn off.  I have looked at the past discussions surrounding this topic and it seems that this document.location.href code has something to do with breadcrumbs? I don't have breadcrumbs or the navigation pane link turned on anywhere in my system (using RH 10), so I am not too sure why RH is adding this code to all my topics.

                   

                  Regardless, do you know where this code is originating from? I can see reference to it in the whutil.js but according to our javascript developer I need to find  the file that inserts the code (document.write or something similar).

                   

                  Any help would be appreciated.  I have a number of webhelp and webhelp pro systems and don't want to have to change every file in every generated help system with security code each time I generate and release. Peter's suggestion to  multscreen HTML5 output is a good one, but the change would be a bit more wide reaching than just my help systems so at the moment not the immediate option.

                   

                  Thank you,

                   

                  Tannis

                  • 6. Re: Is Javascript a security threat?
                    Willam van Weelden Adobe Community Professional & MVP

                    I believe that this code checks whether there is a breadcrumb available on the current page. This code is added on generation. This is part of the generation process and I'm not sure if it can be changed.

                     

                    Is it a potential risk? Is taking your car downtown a risk? I'm not a security expert, but this sounds a bit paranoia to me.

                     

                    RoboHelp 10 WebHelp has changed the way it works and it uses safe cross-frame communication. That might be a solution for you. Otherwise the Multiscreen HTML5 output may help

                     

                    Greet,

                     

                    Willam

                    • 7. Re: Is Javascript a security threat?
                      TanTurn Level 1

                      Thank you Willam,

                       

                      Do you know if it is just RH 10 Web Help that has this safe cross-frame communication? Does WebHelp Pro also have it? I am currently outputting to WebHelp Pro using RoboHelp 10.

                       

                      As to your comment whether or not this code is a security risk or not, I do understand your point, however, as I have no control over what the customer perceives as a security risk in their highly secure and extremely regulated environment, I have little choice other than to try and fix the problem.

                       

                      Thank you,

                       

                      Tannis

                      • 8. Re: Is Javascript a security threat?
                        Willam van Weelden Adobe Community Professional & MVP

                        Nope, the code is still there in WebHelp Pro.

                         

                        I understand that you have to live with your customer. Life could be so much easier ;-)

                         

                        What you can try is using a find and replace in your output changing all occurances of

                         

                        var strUrl = document.location.href;

                         

                        to

                         

                        var strUrl = "";

                         

                        I don't believe it'll break anything (important). This may save you a major headache.

                         

                        Greet,

                         

                        Willam