GHSA-8xwg-wv7v-4vqp

A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.

For the application to be impacted by this vulnerability it must meet all of these conditions

- Runs on Electron 1.7, 1.8, or a 2.0.0-beta - Allows execution of arbitrary remote code - Disables Node.js integration - Does not explicitly declare webviewTag: false in its webPreferences - Does not enable the nativeWindowOption option - Does not intercept new-window events and manually override event.newGuest without using the supplied options tag

## Recommendation

Update to `electron` version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.

If you are unable to update your Electron version can mitigate the vulnerability with the following code.

```js app.on('web-contents-created', (event, win) => { win.on('new-window', (event, newURL, frameName, disposition, options, additionalFeatures) => { if (!options.webPreferences) options.webPreferences = {}; options.webPreferences.nodeIntegration = false; options.webPreferences.nodeIntegrationInWorker = false; options.webPreferences.webviewTag = false; delete options.webPreferences.preload; }) })

// and *IF* you don't use WebViews at all, // you might also want app.on('web-contents-created', (event, win) => { win.on('will-attach-webview', (event, webPreferences, params) => { event.preventDefault(); }) }) ```