Electron Service Worker IPC Spoofing Vulnerability in WebContents Execution

A vulnerability exists in Electron versions prior to 38.8.6, between 39.0.0-alpha.1 and 39.8.1, between 40.0.0-alpha.1 and 40.8.1, and between 41.0.0-alpha.1 and 41.0.0. A service worker in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods. This would cause the main-process promise to resolve with data controlled by an attacker. Applications are only vulnerable if they have registered service workers and rely on the results of webContents.executeJavaScript() or webFrameMain.executeJavaScript() for security-sensitive decisions.

Impact

Exploitation allows a service worker to manipulate IPC replies, leading to the main process receiving attacker-controlled data. This could potentially be used to bypass security measures or introduce malicious behavior in the application.

Remediation

Users can upgrade to Electron versions 38.8.6, 39.8.1, 40.8.1, or 41.0.0 to address this vulnerability. As an additional precaution, avoid using the return value of webContents.executeJavaScript() for security-related decisions and instead use dedicated, validated IPC channels for communication with renderers.