Electron.js Version and Handling Opening of New Windows

[masood]

• Etcher version: 1.18.11
• Operating system and architecture: MacOS, Window, Linux

Summary:

The Etcher Desktop Application uses an old version of Electron. It does not completely limit in-app navigation. Additionally, since the application enables node integration and disables context isolation – it will help to have precautionary checks on these parts of the application.

Details:

1. Open the Etcher Desktop Manager Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
2. Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
3. [Navigation] Within the console, update the location, say, `window.open(“https://google.com/”). This opens a new window. Note that a similar navigation is restricted within the existing app window.
4. [Electron.js Version] Since the app uses an old version of Electron, the application runs with sandbox=true by default. Updating the application can fix this along with porting multiple security fixes. [Link]

—

Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago