21 Replies
Ashley Terwilliger-Pollard

Hi Jim,

I can't recommend deleting the files - others in the community might. You can point directly to the story_html5.html link and that'll bypass the Flash output.  But we're aware that some browsers, such as Firefox have changed how they're handling Flash content and you'll want to make sure you're using the latest version of Flash in the particular browser. 

Please also know that we have a dedicated team focused on HTML5 as well as dedicated teams focused on playback via the Articulate Mobile Player. While we can't speak to future releases, we are aware of the decisions being made that impact the ability of web browsers to display Flash content and are actively working to make sure that our content will work on all major web browsers. 

Steve Flowers

I love, love love the idea of using Flash less and less. But it feels super important to clarify the method by which these types of vulnerabilities work.

The storyline generated Flash files are not something that would allow the vulnerability to work. To be vulnerable, folks need:

  • The right versions of the Flash player
  • To visit a site that contains maliciously coded swf's

In every case of vulnerability, visiting a site either through trickery or dark side exploration is the only way you can get infected / violated. And in the case of MOST Flash, Java, and browser vulnerabilities, the vector of attack is extremely sophisticated and no attacks have actually been seen in the wild. I really wish the articles that erupt every time there is a vulnerability would spend as much time on the realities of the vulnerability as they did raging and hating on the Flash player.

Deleting your swf files is not necessary. If the machine in question does not have the Flash player, the output will automatically switch over to the HTML output.

Kevin Thorn

To add to Jim's question, I have several clients present and past that have contacted me this week with concerns. All our (their) products are published in the HTML5 output and I've explained (not as well as Steve just outlined) that we're fine. Add the securities and firewalls of "most" client environments and LMSs, I believe Storyline's Flash output is not in jeopardy.

That said, the browsers have spoken and some are yelling. Articulate is a software company first, and a fine one at that. Rest assured when Ashley says there is a dedicated team working on this, you should be comfortable knowing you have a team working in the shadows for you.

Jim Barker

From the client:

Regarding your assertion that Flash attacks are not seen in the wild, I can assure you that is completely false. I can only assume you are talking about something else, otherwise the CVE scoring for the 103 Critical Flash vulnerabilities in 2015 would not be “10”, as two of the variables that contribute to such a high rating are exploitability and complexity.

The latest Flash zero-days were included in all popular exploit toolkits within 24 hours of their announcement. Inclusion in these toolkits makes the exploit available to relatively unsophisticated attackers.


Phil Mayor


“Adobe is aware of a report that CVE-2015-5119 is being actively exploited in the wild,” 

As Steve points out you must have the affected player and visit a site that has the exploit.

The courses published in Storyline will not make the client more vulnerable

Steve Flowers

Hey Jim - 

Was referring to the latest vulnerability that caused Firefox to deactivate the Flash player. There are exploits in the wild for some vulnerabilities. However, I am not aware of any reported issues (am now that Phil shared the article) with the latest discovered exploit before patching. I think what they're getting at is the significant risks for folks that are not patched.

As I mentioned before, the risks are higher for folks that click-through phishing links or hit sites that have either fallen victim to other attack or have intentionally been constructed to distribute an exploit. 

The point of all of this is to say that the risk isn't the same for all. If folks 1) patch their player and 2) only hit trusted sites / content, their risk nears the extreme end of low (not zero). Refuse to patch your player and only hit trusted sites / content, the risk is marginally higher. Not patching your player and hitting every link you get in email and your spam folder will expose you to all kinds of ugliness. But this is a risk whether or not you have the Flash player installed.

And that's where the hyperbole and outcry really starts to create a problem. Deactivating the Flash player is a solution with other business consequences (for the short term). Could be worth it for some. But anyone who thinks that eliminates risk of security exploits is deluding themselves. And many simply use Flash player vulnerability as an extension of group think bias. 

I'm all for using Flash media less. But for many, it simply isn't a great option. I still have Flash content that runs exactly as it did 15 years ago within the Flash player. No changes required. I also have HTML content that runs as it did (mostly) 15 years ago. But these aren't equivalents. I have HTML5 content that I can't get to run 100% consistently across platforms... Because browsers. Reality presents tough trade-offs. If we're going to argue about the disappearance of a cross platform reliable (within reason) technology, we should probably look at things from more than one perspective:)


Jim Barker

Just a curious follow up question. Why does Articulate still publish various support files in swf format when choosing HTML5 output? Legacy support of some sort? Again, I've tested the HTML5 output in various browsers AFTER deleting all swf files from the published output folder and everything worked as normal for me.

Steve Flowers

Hi Jim - 

There currently isn't an option to publish exclusively to HTML5. I suspect this is because, originally, the Flash version operated MUCH better than the HTML5. The tables have turned a bit and HTML5's output is a lot better than it was during version 1. It may not be long until there is a "Publish exclusively for HTML5". I would definitely use this as it shrinks packages by around 1/2. Put in a feature request! I'll do the same.