Versions of electron A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.
For the application to be impacted by this vulnerability it must meet all of these conditions
Update to electron
version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.
If you are unable to update your Electron version can mitigate the vulnerability with the following code.
app.on('web-contents-created', (event, win) => {
win.on('new-window', (event, newURL, frameName, disposition,
options, additionalFeatures) => {
if (!options.webPreferences) options.webPreferences = {};
options.webPreferences.nodeIntegration = false;
options.webPreferences.nodeIntegrationInWorker = false;
options.webPreferences.webviewTag = false;
delete options.webPreferences.preload;
})
})
// and *IF* you don't use WebViews at all,
// you might also want
app.on('web-contents-created', (event, win) => {
win.on('will-attach-webview', (event, webPreferences, params) => {
event.preventDefault();
})
})