RCE/XSS vulnerability with Mozilla 'interactive-examples' iFrames.

[David-Stephenson]

Hello, I was able to execute code that would interact with the electron instance via the Mozilla interactive examples iFrames. You can watch an example of this vulnerability on YouTube. This is a common vulnerability involved with Electrons "nodeIntegration" property being set to true. You can read more about the vulnerability on Doyensec's Blog.

How to reproduce

The Mozilla interactive examples run inside an iFrame and allows you to modify and execute JavaScript. I was able to execute code inside the iFrame that would set the parent page of iFrame to a website of my choice. On the website of my choice I wrote JavaScript that would interact with the NodeJS process and execute programs require('child_process').exec().

Possible ways to fix the vulnerability.

1. Try running iFrames with the sandbox attribute

[xadhrit]

yes, It's a CVE bug. I have also successfully reproduced it.