Hello All - Have a question about RoboHelp 9 and a security vulnerability. We discovered a vulnerability in the webhelp output we produce so I am starting here. The site requires authentication and then passes it into the page, so we believe that RoboHelp uses frames within its framework. The use of frames in authenticated sites is not recommended and as mentioned is a security vulnerability.
The new version fixes the cross-site scripting vulnerability involving the query string (example.paychex.com/path?XSS) but introduces an equivalent vulnerability with the URL hash tag (example.site.com/path#XSS). Normally, anything after the hash tag is considered a “fragment identifier”, which is a reference to some position in the document. Seems the vulnerability is due to the enabling cookie secure flag.
Has anyone heard of this?
Adobe RoboHelp team is looking into issue, and will keep the user forum updated of the progress. In the mean time, can you please provide the following information
Adobe RoboHelp Team