Allele Security Alert
Vulnerability that allowed Node to be re-enabled in child Windows
All supported versions of Electron
Electron versions 2.0.17, 3.0.15, 3.1.3, 4.0.4, and 5.0.0-beta.2
Proof of concept
A code vulnerability has been discovered that allows Node to be re-enabled in child windows.
Opening a BrowserView with sandbox: true or nativeWindowOpen: true and nodeIntegration: false results in a webContents where window.open can be called and the newly opened child window will have nodeIntegration enabled.
BrowserView window.open() Vulnerability Fix
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2019