diff --git a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help
index 0a2d9e81f96..84fe742453c 100644
--- a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help
+++ b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help
@@ -1,39 +1,30 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd"> <qhelp>
 
 <overview>
+<p>Applications decoding JSON Web Token (JWT) may be misconfigured due to the none algorithm.</p>
+<p>The none algorithm is selected by calling the <code>verify()</code> function with a falsy value
+instead of a cryptographic secret or key. The none algorithm disables the integrity enforcement of
+a JWT payload and may allow a malicious actor to make any desired changes to a JWT payload leading
+to critical security issues like privilege escalation.</p>
 
-<p>The featured CodeQL query warns using of none algorithm in verify() functions imported from jsonwebtoken package developed by the auth0 organization.</p>
-
-<p>Backend JavaScript applications handling JWT could be affected by the none algorithm misconfiguration due to misusing verify() functions imported by jsonwebtoken package.
-Providing an empty string or a false value, instead of a secret or a key, enable the none algorithm to decode JWT payloads without signature verification.
-Misconfigured backend JavaScript on a production environment could be impacted by exploitation violating the integration of a JWT.</p>
 </overview>
 
 <recommendation>
-<p>
-verify() functions should use a secret or a key to decode JWT payloads.
-</p>
-<p>
-Use a a secret or a key to decode JWT payloads.
-</p>
-<p>
-</p>
+<p>Use a secret or a key to decode JWT payloads when calling the <code>verify()</code> function.</p>
 
 </recommendation>
 
 <example>
-<p>The example starts with a secret signing an object using the HS256 algorithm.
-In the second case an empty string is provided, then an undefined value, and finally a false value.
-These three misconfigued verify() functions is detected to be potentially a cybersecurity vulnerability.
-</p>
+<p>In the example, the first case is signing an object with a secret and a HS256 algorithm. In the
+second case, an empty string is provided, then an undefined value, and finally a false value. These
+three misconfigured calls to <code>jwt.verify()</code> can cause vulnerabilities.</p>
+
 <sample src="examples/JWTMissingSecretOrPublicKeyVerification.js" />
 
 </example>
 
 <references>
 <li>Auth0 Blog: <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm">Meet the "None" Algorithm</a>.</li>
+
 </references>
 </qhelp>
\ No newline at end of file