CVE-2020-4075: Files or Directories Accessible to External Parties

July 7, 2020 (updated July 13, 2020)

In Electron, an arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

References

nvd.nist.gov/vuln/detail/CVE-2020-4075
www.electronjs.org/releases/stable?page=3

Detect and mitigate CVE-2020-4075 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →