BrowserView window.open() 漏洞修复
发现一个代码漏洞,允许在子窗口中重新启用 Node。
🌐 A code vulnerability has been discovered that allows Node to be re-enabled in child windows.
使用 sandbox: true 或 nativeWindowOpen: true 以及 nodeIntegration: false 打开 BrowserView 会导致 webContents 可以调用 window.open,并且新打开的子窗口将启用 nodeIntegration。此漏洞影响所有受支持的 Electron 版本。
🌐 Opening a BrowserView with sandbox: true or nativeWindowOpen: true and nodeIntegration: false results in a webContents where window.open can be called and the newly opened child window will have nodeIntegration enabled. This vulnerability affects all supported versions of Electron.
缓解措施
🌐 Mitigation
我们已经发布了包含此漏洞修复的新版本 Electron:
2.0.17,
3.0.15,
3.1.3,
4.0.4,以及
5.0.0-beta.2。
我们鼓励所有 Electron 开发者立即将他们的应用更新到最新的稳定版本。
🌐 We've published new versions of Electron which include fixes for this vulnerability:
2.0.17,
3.0.15,
3.1.3,
4.0.4, and
5.0.0-beta.2.
We encourage all Electron developers to update their apps to the latest stable version immediately.
如果由于某种原因你无法升级 Electron 版本,你可以通过禁用所有子 Web 内容来缓解此问题:
🌐 If for some reason you are unable to upgrade your Electron version, you can mitigate this issue by disabling all child web contents:
view.webContents.on('-add-new-contents', (e) => e.preventDefault());
更多信息
🌐 Further Information
此漏洞由 PalmerAL 发现,并负责任地报告给了 Electron 项目。
🌐 This vulnerability was found and reported responsibly to the Electron project by PalmerAL.
要了解有关保持你的 Electron 应用安全的最佳做法的更多信息,请参阅我们的[安全教程]。
🌐 To learn more about best practices for keeping your Electron apps secure, see our security tutorial.
如果你希望报告 Electron 中的漏洞,请提交 [GitHub 安全咨询]。
🌐 Please file a GitHub Security Advisory if you wish to report a vulnerability in Electron.