A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.
For the application to be impacted by this vulnerability it must meet all of these conditions
Update to electron
version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.
If you are unable to update your Electron version can mitigate the vulnerability with the following code.
app.on('web-contents-created', (event, win) => {
win.on('new-window', (event, newURL, frameName, disposition,
options, additionalFeatures) => {
if (!options.webPreferences) options.webPreferences = {};
options.webPreferences.nodeIntegration = false;
options.webPreferences.nodeIntegrationInWorker = false;
options.webPreferences.webviewTag = false;
delete options.webPreferences.preload;
})
})
// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
win.on('will-attach-webview', (event, webPreferences, params) => {
event.preventDefault();
})
})
electronjs.org/blog/webview-fix
github.com/electron/electron
github.com/electron/electron/commit/1a48ee28276e6588dbf4e70e58d78e7bfdc57043
github.com/electron/electron/pull/12271
github.com/electron/electron/pull/12292
github.com/electron/electron/pull/12294
nvd.nist.gov/vuln/detail/CVE-2018-1000136
www.electronjs.org/blog/webview-fix
www.npmjs.com/advisories/574
www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass