When a PAM user clicks on the Company logo in left corner of the PAM client UI, a new page opens to a Symantec site. By clicking various links from the Symantec site they are able to eventually get to a Google Search page and search/browse for sites on the internet. They have observed that using this method allows a user to by-pass their internet proxy. We don't require the PAM client to go through the internet proxy, because it is meant to just connect to PAM servers. It also has been identified that having a browser (Chrome) shortcut to a site, you can drag that shortcut into the PAM client and it will browse to that site in the original tab or a new tab from within the client.

This is considered a security risk. Our users should not be able to use the PAM client like a standard browser that connects them to any external URL, without going through the internet proxy.

Affects PAM releases 4.0 to 4.0.4 and 4.1 to 4.1.2.

The PAM client UI, which is a JxBrowser instance, did not explicitly disable drag&drop. It also had the Logo implemented as a clickable link.

PAM Engineering coded changes to disable drag&drop and removed the hyperlink to a Symantec web site from the logo. This fix is included in PAM release 4.0.5 and will be included in releases 4.1.3+ and 4.2+. If you are running an affected release and need a hotfix for it, please engage PAM Support.