ASA-2019-00072 – Electron: Vulnerability that allowed Node to be re-enabled in child Windows


Allele Security Alert

ASA-2019-00072

Identifier(s)

ASA-2019-00072

Title

Vulnerability that allowed Node to be re-enabled in child Windows

Vendor(s)

Github

Product(s)

Electron

Affected version(s)

All supported versions of Electron

Fixed version(s)

Electron versions 2.0.17, 3.0.15, 3.1.3, 4.0.4, and 5.0.0-beta.2

Proof of concept

Unknown

Description

A code vulnerability has been discovered that allows Node to be re-enabled in child windows.

Opening a BrowserView with sandbox: true or nativeWindowOpen: true and nodeIntegration: false results in a webContents where window.open can be called and the newly opened child window will have nodeIntegration enabled.

Technical details

Unknown

Credits

PalmerAL

Reference(s)

BrowserView window.open() Vulnerability Fix
https://electronjs.org/blog/window-open-fix

electron v2.0.17
https://github.com/electron/electron/releases/tag/v2.0.17

electron v3.0.15
https://github.com/electron/electron/releases/tag/v3.0.15

electron v3.1.3
https://github.com/electron/electron/releases/tag/v3.1.3

electron v4.0.4
https://github.com/electron/electron/releases/tag/v4.0.4

electon v5.0.0-beta.2
https://github.com/electron/electron/releases/tag/v5.0.0-beta.2

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 11, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.