2 Replies Latest reply on May 28, 2013 7:57 AM by Willam van Weelden

    whnjs.htm javascript file and cross-site scripting - security concerns

    TechDocJosh

      Hello. Our internal auditors found a serious security issue because of a javascript file generated by RoboHelp in the WebHelp output. The file they identified was whnjs.htm. Here's the description:

       

      This page has javascript which sets a frame on the page to the hash of the URL. This can be used as an

      injection point for cross site scripting.

      POC: https://xxx.xxx/WebHelp/whnjs.htm#javascript:alert(1) //

      Internet Explorer only.

       

      Does this mean anything to anyone here? I'm using RH9. I'm hoping just an upgrade to v11 will fix this, as I can easily justify that cost with an issue like this.

       

      Thanks, Josh