CVE-2020-15174, GHSA-2q4g-w47c-4674
npm/electron
Improper Input Validation
In Electron the will-navigate
event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.
All versions starting from 8.0.0 before 8.5.1, all versions starting from 9.0.0 before 9.3.0, all versions starting from 10.0.0 before 10.0.1
Upgrade to versions 8.5.1, 9.3.0, 10.0.1 or above.
2020-10-22
source |