Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


IBM Notes accepts Java applet and JavaScript tags inside HTML

Daniel Nashed  3 May 2013 14:16:42

There is an issue in the Notes client that you should be aware of.
heise Security has posted about this issue yesterday -->

Notes did allow Java/JavaScript and Applets in emails for a long time. I have tested with and old Notes 7 client today.
There have been issues with the underlaying JVM which makes it more critical.

In Notes you can control as described in the article and also in the IBM technote released yesterday -> how you can disable Java/JavaScript and Apples in the Notes client.
This can be done via notes.ini, Preferences and you can also distribute it via Desktop policies and lock it down.
A paranoid administrator would have already disabled it when the first issues with Java security have been reported a while ago (not just the IBM JVM but also the Oracle JVM).

And you can also change the ECL settings for Java and JavaScript locally on your workstation or deploy it centrally to avoid that unsigned code can be executed. This would even work with an older Notes 7 client.

The issue reported is that the Notes client does generally execute Java/JavaScript and Java Applets in HTML mail by default.

There is a Interims Fix available since yesterday which does not allow this functionality in HTML email. Also the just released 8.5.3 FP4 and also 9.0 are affected.

You don't need to install the fix asap. But you should disable the functionality using policy settings as a short term solution at least.

I agree that his can be a potential risk and also would rate it quite high. At the time it was implemented customers wanted to have this new flexibility.
It would have been just good to be able to control it in main with a separate setting and have it disabled by default.

-- Daniel


1Christian Henseler  15.05.2013 12:51:55  IBM Notes accepts Java applet and JavaScript tags inside HTML

The initial 8.5.3FP4 and 8.5.3FP4IF1 Releases were/are causing problems with 3rd Party applications.

({ Link })

Ensure that you use 8.5.3FP4IF1Rev1, released on 14/05/2013.



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]