Allele Security Alert
ASA-2019-00072
Identifier(s)
ASA-2019-00072
Title
Vulnerability that allowed Node to be re-enabled in child Windows
Vendor(s)
Github
Product(s)
Electron
Affected version(s)
All supported versions of Electron
Fixed version(s)
Electron versions 2.0.17, 3.0.15, 3.1.3, 4.0.4, and 5.0.0-beta.2
Proof of concept
Unknown
Description
A code vulnerability has been discovered that allows Node to be re-enabled in child windows.
Opening a BrowserView with sandbox: true or nativeWindowOpen: true and nodeIntegration: false results in a webContents where window.open can be called and the newly opened child window will have nodeIntegration enabled.
Technical details
Unknown
Credits
PalmerAL
Reference(s)
BrowserView window.open() Vulnerability Fix
https://electronjs.org/blog/window-open-fix
electron v2.0.17
https://github.com/electron/electron/releases/tag/v2.0.17
electron v3.0.15
https://github.com/electron/electron/releases/tag/v3.0.15
electron v3.1.3
https://github.com/electron/electron/releases/tag/v3.1.3
electron v4.0.4
https://github.com/electron/electron/releases/tag/v4.0.4
electon v5.0.0-beta.2
https://github.com/electron/electron/releases/tag/v5.0.0-beta.2
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2019