Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference

### Impact An undocumented `commandLineSwitches` webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct `webPreferences` by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls. Apps are only affected if they construct `webPreferences` from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded `webPreferences` object are not affected. ### Workarounds Do not spread untrusted input into `webPreferences`. Use an explicit allowlist of permitted preference keys when constructing `BrowserWindow` or `webContents` options from external configuration. ### Fixed Versions * `41.0.0-beta.8` * `40.7.0` * `39.8.0` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)