We have been running pen tests looking for vulnerabilites on applications my company has created in order to be PCI certified. I built webhelp systems for these applications using RoboHTML v9.
The pen test has indicated that ehlpdhtm.js is suspect with the following message:
WebInspect detected the use of an ActiveX object. This could indicate a vulnerability is present if a vulnerable public version of the Microsoft Active Template was utilized. There are three vulnerabilities in the public versions of the Microsoft Active Template Library (ATL) included with Visual Studio. Applications and components created with these versions of ATL are vulnerable to remote code execution and information disclosure attacks. Visual Studio itself is not vulnerable to these issues. In these three vulnerabilities, ATL processes data incorrectly which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy. After Visual Studio is patched, it will no longer create applications and components with these vulnerabilities. However, applications and components compiled using the vulnerable version of ATL need to be rebuilt with the safe version released by Microsoft. Recommendations include applying any relevant service pack or patch as listed in the Fix section, then recompiling and redistrubiting any software created prior to the update. If you have already applied the proper fix, then this vulnerability can safely be ignored.
Any application compiled using the vulnerable active template could be subject to code execution and information disclosure vulnerabilities.
What is the latest version of the ehlpdhtm.js file?
The copyright inside the file is:
// Copyright © 1998-2009 Adobe Systems Incorporated. All rights reserved.
If this is not the latest version, is there somewhere I can get the latest file? If not, I won't be able to use the dynamic html features of RoboHTML.
If you have the latest patch installed (9.0.2), you have the latest version of ehlpdhtm.js. There was an XSS vulnerability fix for 9.0.1, but that is included in 9.0.2. From what I can see in my installation, version 8.0 is the latest version for RoboHelp 9.
RoboHelp 11 has a newer version of the file, but the active x is still in there.
I'm not a security expert. The ActiveX is used for supporting old versions of IE and CHM's. It should not be used by modern browsers. I've never heard of RoboHelp being abused in this way so I would deem it safe. But again, that's just my layman opinion.