Electron Incorrect Origin in Permission Request Handler for Iframe Requests

A vulnerability exists in Electron versions prior to 38.8.6, 39.0.0-alpha.1 through 39.8.1, 40.0.0-alpha.1 through 40.8.1, and 41.0.0-alpha.1 through 41.0.0. When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin sent to session.setPermissionRequestHandler() is the top-level page's origin instead of the iframe's origin. This can lead to unintentional permission grants to embedded third-party content for apps that rely on the origin parameter or webContents.getURL(). However, the correct requesting URL is available through details.requestingUrl, allowing unaffected apps to check this instead.

Impact

This vulnerability can result in improper permission handling, allowing apps to inadvertently grant permissions to third-party content embedded within iframes.

Remediation

To address this vulnerability, update Electron to version 38.8.6, 39.8.1, 40.8.1, or 41.0.0. If an immediate update is not possible, modify the permission request handler to evaluate details.requestingUrl instead of the origin parameter or webContents.getURL() when determining whether to allow fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.