VDB
KO
MEDIUM 6.8

GHSA-xwr5-m59h-vwqr

Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes

Details

### Impact The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration.

Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected.

### Workarounds Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences.

### Fixed Versions * `41.0.0` * `40.8.4` * `39.8.4` * `38.8.6`

### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / electron
Introduced in: 0 Fixed in: 38.8.6
Fix npm install electron@38.8.6
npm / electron
Introduced in: 39.0.0-alpha.1 Fixed in: 39.8.4
Fix npm install electron@39.8.4
npm / electron
Introduced in: 40.0.0-alpha.1 Fixed in: 40.8.4
Fix npm install electron@40.8.4
npm / electron
Introduced in: 41.0.0-alpha.1 Fixed in: 41.0.0
Fix npm install electron@41.0.0

References