Electron: Use-after-free in offscreen child window paint callback

### Impact Apps that use offscreen rendering and allow child windows via `window.open()` may be vulnerable to a use-after-free. If the parent offscreen `WebContents` is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering (`webPreferences.offscreen: true`) and their `setWindowOpenHandler` permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected. ### Workarounds Deny child window creation from offscreen renderers in your `setWindowOpenHandler`, or ensure child windows are closed before the parent is destroyed. ### Fixed Versions * `41.0.0` * `40.7.0` * `39.8.1` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)