Insecure Defaults Affecting electron package, versions >=17.0.0-alpha.1 <17.4.5


0.0
medium

Snyk CVSS

    Attack Complexity High

    Threat Intelligence

    EPSS 0.13% (48th percentile)
Expand this section
NVD
4.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ELECTRON-2833549
  • published 18 May 2022
  • disclosed 18 May 2022
  • credit Alesandro Ortiz

How to fix?

Upgrade electron to version 17.4.5 or higher.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insecure Defaults when using GetOriginalOpener to get opener's origin on FrameTree initialization. GetOriginalOpener was used to get the opener, but that function will actually return the main frame of the opener. This means when the FrameTree is opened by a non-main frame, it might inherit the wrong origin.