A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006.
Affected Platforms
Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.
Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.
macOS and Linux are not vulnerable to this issue.
Mitigation
We've published new versions of Electron which include fixes for this vulnerability: 1.8.2-beta.5, 1.7.12, and 1.6.17. We urge all Electron developers to update their apps to the latest stable version immediately.
Se por algum motivo, você não pode atualizar sua versão do Electron, você pode acrescentar -- como o último argumento ao ligar para um aplicativo. etAsDefaultProtocolClient, que impede o Chromium de analisar outras opções. The double dash -- signifies the end of command options, after which only positional parameters are accepted.
app.setAsDefaultProtocolClient(protocol, process.execPath, [
'--your-switches-here',
'--',
]);
Veja o app.setAsDefaultProtocolClient API para mais detalhes.
Para saber mais sobre as melhores práticas para manter seus apps Electron seguros, veja nosso tutorial de segurança.
If you wish to report a vulnerability in Electron, email security@electronjs.org.