Electron named window.open 目标未限定在 opener 的浏览上下文环境中

The vulnerability allows a malicious renderer process to hijack a child window opened by another renderer if they share the same target name. This can lead to a variety of attacks, including unauthorized access to sensitive data, modification of application state, and potentially even code execution depending on the webPreferences of the hijacked window. An attacker could craft a malicious webpage that, when opened within an Electron application, exploits this flaw to gain control of other windows within the same application. The blast radius is limited to applications using Electron and sharing target names between renderer processes, but the potential impact on user data and application integrity is significant.

Applications built using Electron that utilize shared target names for window.open() calls are at risk. This includes desktop applications that integrate web content or rely on complex window management. Developers using Electron's setWindowOpenHandler with permissive webPreferences are particularly vulnerable, as they may inadvertently grant attackers greater control over hijacked windows.

• linux / server: Monitor Electron application logs for unusual window navigation events or errors related to target name resolution. Use ps and lsof to identify running Electron processes and their associated files.

lsof -p $(pgrep electron)

• generic web: Inspect network traffic for unexpected requests originating from Electron applications, particularly those involving window navigation. Use browser developer tools to monitor window.open() calls and their target names. • javascript: Review Electron application code for instances of window.open() with shared target names. Look for code that might be vulnerable to cross-renderer context manipulation.

1. 2026-04-07Disclosure

   disclosure

1. 已保留2026-03-30
2. 发布日期2026-04-07
3. 修改日期2026-04-13
4. EPSS 更新日期2026-04-15

The primary mitigation is to upgrade to Electron version 39.8.5 or later. If upgrading is not immediately feasible, consider implementing stricter controls on the target names used in window.open() calls to ensure uniqueness across renderer processes. Carefully review and restrict the webPreferences settings for windows opened with setWindowOpenHandler to minimize the potential impact of a hijacked window. Implement robust input validation and sanitization to prevent malicious scripts from manipulating target names. After upgrading, verify the fix by attempting to open windows with the same target name from different renderer contexts and confirming that navigation is restricted.