logo

Database

Missing subresource integrity check In electron

Description

Electron: Incorrect origin passed to permission request handler for iframe requests

Impact

When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.

The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.

Workarounds

In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.

Fixed Versions

    41.0.0

    40.8.1

    39.8.1

    38.8.6

For more information

If there are any questions or comments about this advisory, please email [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347772. NVD-2026-347773. OSV-2026-347774. GHSA-r5p7-gp4j-qhrx5. GCVE-2026-34777

References

1. https://github.com/electron/electron/security/advisories/GHSA-r5p7-gp4j-qhrx

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.