XG is contacting whatfix.com when I change firewall rules

I don't understand this posting. On the one hand, you say multiple times that the XG is contacting a website, but then you note multiple times that it is your browser that is contacting the website. The latter appears to be correct.

And what could you possible do in a hijacked browser session which holds an admin session to the XG?

You don't have to confound the actual issue in order for it to matter. A subtle new vector for a potential exploit is a serious issue. But the XG is not in contact with the server, your web browser is.

I'll add that, per your discovery and awaiting clarifications from Sophos, I'm disabling connections to whatfix.com in my laptop firewall, which indicates 16 outgoing connections to whatfix.com (104.18.30.171, 104.18.31.171) and 3 to cdn.whatfix.com (104.18.31.171) since we got the EAP.

Again, this is a good find. I just want to describe it accurately so as not to obscure the actual issue. From the whatfix website:

Whatfix is an award-winning SaaS-based platform that allows businesses create interactive guides on their web platforms. The company's patent-pending technology can be integrated with ease across all user touch-points inside web applications.

You don't have to confound the actual issue in order for it to matter. A subtle new vector for a potential exploit is a serious issue. But the XG is not in contact with the server, your web browser is.

I'll add that, per your discovery and awaiting clarifications from Sophos, I'm disabling connections to whatfix.com in my laptop firewall, which indicates 16 outgoing connections to whatfix.com (104.18.30.171, 104.18.31.171) and 3 to cdn.whatfix.com (104.18.31.171) since we got the EAP.

Again, this is a good find. I just want to describe it accurately so as not to obscure the actual issue. From the whatfix website:

Whatfix is an award-winning SaaS-based platform that allows businesses create interactive guides on their web platforms. The company's patent-pending technology can be integrated with ease across all user touch-points inside web applications.

"But the XG is not in contact with the server, your web browser is."
That is true, however the problem is that I am logged in as admin with my browser. There is javascript downloaded from an external URL. And I guess Cross-Site-Scripting is enabled for Whatfix.com, or the assistent wouldn't be able to work.

So somebody using DNS cache poisoning or even hacking whatfix.com could potentially take over your firewall (open GUI to WAN, reset passwords etc).

Totally true. The outcome is the same no matter how we state it. But I think the statement should be accurate. The XG is not contacting an external site. The HTTP you get from the XG includes a link to that site and your web browser reaches out, and that opens a potential exploit. True.

All I'm saying is the description's accuracy matters, not just the point that there is a potential problem that the new SFOS introduced.

what kind of action did you take against Sophos? Someone already having a case ID?

I'd create one as soon as we're on the new version next week Adding existing case# to new cases speeds things up.

Disabling that by adding block rules is not what I like.

I also think this has been introduced for new Sophos admins. It is OK but there should be something on GUI to disable it because I see it  as a security issue.