In-app Navigation and Electron.js Version #451
Description
Summary:
While the Excel Parser Desktop Application uses secure web preferences, it does not use event listeners that prevent in-app navigation. Moreover, the application can benefit from an update to the underlying Electron.js version.
Platform(s) Affected:
MacOS, Windows, Linux
Steps To Reproduce:
- Open the Excel Parser Desktop Application.
- From the “View” menu, choose “Toggle Developer Tools”.
- [In-app Navigation] Within the console, enter
window.location=”https://attacker.com/”. The application window navigates to the third-party site. - [Alt. in-app navigation] Alternatively, within the console, enter
window.open(“https://attacker.com/”). The application opens a new window with the third-party domain. - [Web Preferences] While the app disables
nodeIntegrationand enablescontextIsolation, it does not enablesandbox. These features can be taken care of by the defaults of the latest Electron.js version. - [Electron.js Version] Finally, the current version of Excel Parser depends on Electron v17 which is vulnerable to numerous CVEs. [Example] The app can benefit from an update to the framework version that fixes numerous security issues. [Link]
--
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
Metadata
Metadata
Assignees
Labels
No labels