Sensitive information sent insecurely In podman-desktop
Description
Electron: Named window.open targets not scoped to the opener's browsing context
Impact
When a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions.
Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected.
Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution.
Workarounds
Deny window.open() in renderers that load untrusted content by returning { action: 'deny' } from setWindowOpenHandler. Avoid granting child windows more permissive webPreferences than their opener.
Fixed Versions
42.0.0-alpha.5
41.1.0
40.8.5
39.8.5
For more information
If you have any questions or comments about this advisory, email us at [email protected]
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 rpm rhel10 | - | - | |
 npm | 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 | ||
rpm rhel10 | - | - |
Aliases
References