Insecure Defaults Affecting electron package, versions >=17.0.0-alpha.1 <17.4.5
Snyk CVSS
Attack Complexity
High
Threat Intelligence
EPSS
0.13% (48th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-ELECTRON-2833549
- published 18 May 2022
- disclosed 18 May 2022
- credit Alesandro Ortiz
Introduced: 18 May 2022
CVE-2022-1637 Open this link in a new tabHow to fix?
Upgrade electron
to version 17.4.5 or higher.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Insecure Defaults when using GetOriginalOpener
to get opener's origin on FrameTree initialization. GetOriginalOpener
was used to get the opener, but that function will actually return the main frame of the opener. This means when the FrameTree is opened by a non-main frame, it might inherit the wrong origin.