Electron Context Isolation Bypass Vulnerability via contextBridge VideoFrame Transfer

A context isolation bypass vulnerability has been identified in Electron applications that bridge VideoFrame objects through the contextBridge, specifically in versions 39.0.0-alpha.1 prior to 39.8.0, 40.0.0-alpha.1 prior to 40.7.0, and 41.0.0-alpha.1 prior to 41.0.0-beta.8. This vulnerability allows an attacker who can execute JavaScript in the main world, such as through cross-site scripting (XSS), to access the isolated world and any Node.js APIs exposed to the preload script. The issue arises when a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Applications that do not bridge VideoFrame objects are not affected.

Impact

Exploitation of this vulnerability allows for a context isolation bypass, enabling access to the isolated world and any Node.js APIs exposed to the preload script.

Remediation

To address this vulnerability, update Electron to version 39.8.0, 40.7.0, or 41.0.0-beta.8. If an immediate update is not possible, as a temporary workaround, avoid passing VideoFrame objects across the contextBridge. Instead, serialize the video frame data to an ArrayBuffer or ImageBitmap before bridging.