Insecure Defaults Affecting electron Open this link in a new tab package, versions >=17.0.0-alpha.1 <17.4.5

  • Attack Complexity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    18 May 2022

  • disclosed

    18 May 2022

  • credit

    Alesandro Ortiz

How to fix?

Upgrade electron to version 17.4.5 or higher.


electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insecure Defaults when using GetOriginalOpener to get opener's origin on FrameTree initialization. GetOriginalOpener was used to get the opener, but that function will actually return the main frame of the opener. This means when the FrameTree is opened by a non-main frame, it might inherit the wrong origin.