Forum Discussion

MarionVDA's avatar
MarionVDA
Community Member
10 months ago

HLS vulnerabilty on Storyline Modern Player

Hello, 

Our Security IT department identified a vulnerability issue with the file hls.min.js which is found in any course exported using Storyline 360 modern player, even if hls is 'turn off' (publish video quality set to Static). 

The application loads an external library or source code file using appendExecutor. An attacker might be able to exploit this and cause the application to load arbitrary code.

Using the classic player instead is not option due to the lack of responsiveness of that player.

Do you have any information on a future update of that file? 

  • Hello Marion!

    I've checked with our Engineering team. You should be able to safely delete the hls.min.js file from your published output if you've targeted static video without adversely affecting anything.

    Please let us know if you have additional questions.

  • Is this something the engineering team will look into to determine the risk and apply a fix if necessary.

    • EricSantos's avatar
      EricSantos
      Staff

      Hello Sam,

      Thanks for chiming in; good question! Our engineering team is currently looking at the issue with hls.min.js. We'll update this discussion once a fix is available.

  • Hi Kevin,

    I have some great news to share. We just released another update for Storyline 360. In Update 86, we’ve included important fixes and new features.

    One of the new features we’ve included: 

    • Fixed: Courses published with static quality incorrectly included an hls.min.js file, which is only needed for streaming video.

    Launch the Articulate 360 desktop app on your computer to take advantage of this update, and click the Update button next to Storyline 360. You’ll find our step-by-step instructions here.

    Please let me know if you have any questions.