2 Replies Latest reply on Jun 28, 2016 9:02 AM by LEH_0201

    Cross-scripting errors in WebHelp output (RoboHelp 2015)

    LEH_0201

      After running a security scan of the product, the application developers reported DOM cross-scripting errors resulting from the online help. This is what the scan turned up:

       

      DOM XSS Issue in the following files:
      • Whstart.js -> document.location=document.location;
      • whtbar.js -> top.location = strURL;
      • whtopic.js -> window.location = strUrl
      • whtopic_nc.js -> window.location = strMainPage.substring(0, indx+1) + "whcsh_home.htm#topicurl=" + strMainPage.substring(indx+1);

       

      And also an open redirect issue in the following file:

      whtbar.js -> top.location = strURL;

       

      I am generating WebHelp using RoboHelp 2015 (version 12.0.2.384).

       

      I was under the impression that the cross-site scripting errors existed in earlier versions of RoboHelp (8 and 9) and had been corrected in subsequent releases. My search of the RoboHelp forums did turn up a more recent post about similar issues with Responsive HTML 5 output, but that's not the output format I'm using.

       

      Has anyone else recently experienced these errors in WebHelp? Does Adobe have a fix for this issue?

        • 1. Re: Cross-scripting errors in WebHelp output (RoboHelp 2015)
          Captiv8r Adobe Community Professional & MVP

          Are you claiming these are errors that need addressing or possible security issues?

           

          I've seen reports in the past where folks were wringing their hands because their IT or other folks were saying there were security threats from these cross-scripting issues. And to be honest, I've never once ever in my 20+ years of using the product heard of anyone actually successfully exploiting things. But I do understand it's a concern.

           

          Personally, I'd file a bug on it or contact Adobe Support directly and see what they may say about it.

           

          Cheers... Rick

          • 2. Re: Cross-scripting errors in WebHelp output (RoboHelp 2015)
            LEH_0201 Level 1

            Sorry, perhaps "error" was the wrong word. The security scan flagged these issues and the application developers want us to correct them.

             

            I'm hoping someone from Adobe might chime in here, but I will also try the other channels you suggest.