CVE-2023-23623 - Electron's Content-Security-Policy Ignored in Non-Sandboxed Renderers

Electron is a popular framework that enables developers to build cross-platform desktop applications using JavaScript, HTML, and CSS. However, an issue has been discovered in certain versions of Electron (specifically 22 and 23) related to the Content-Security-Policy (CSP) not being respected in renderers with sandbox disabled. This can result in an expanded attack surface and potential security risks. This post will examine this vulnerability in detail, provide a code snippet to demonstrate the issue, and recommend steps to mitigate the risk.

Details of CVE-2023-23623

Electron allows developers to set a Content-Security-Policy (CSP) to prevent the use of potentially harmful JavaScript functions, such as eval() and new Function. Ideally, when a CSP directive is set and unsafe-eval is _not_ provided, the usage of these methods should be restricted.

However, it has been found that, in renderers where the sandbox option is set to false in the webPreferences object, the CSP directive is not respected, allowing the usage of these methods. This can lead to security issues and a greater attack surface for potential attackers.

Affected Versions

This vulnerability affects major versions 22 and 23 of Electron and is fixed in the following releases:

Electron 23..-alpha.2

You can find more information on the official Electron release notes here: Electron Releases

Code Snippet

To demonstrate the issue, consider the following code snippet where a renderer is created with sandbox set to false in the webPreferences object:

const { BrowserWindow } = require('electron')

let mainWindow = new BrowserWindow({
  webPreferences: {
    sandbox: false
  }
})

mainWindow.loadURL('https://example.com';)

In this scenario, the CSP directive set by the loaded website may not be respected, resulting in unexpected behavior and a potential security risk.

Fixing and Mitigation

To fix this issue, it is highly recommended to upgrade your Electron application to the latest stable version. If upgrading is not an option, you can mitigate this issue by enabling the sandbox option for all renderers in your application:

const { BrowserWindow } = require('electron')

let mainWindow = new BrowserWindow({
  webPreferences: {
    sandbox: true
  }
})

mainWindow.loadURL('https://example.com';)

By setting sandbox: true, the CSP directive will be respected, and the potential security risk will be avoided.

Conclusion

CVE-2023-23623 is a significant security vulnerability found in Electron versions 22 and 23. It involves the Content-Security-Policy directive not being respected in renderers with sandbox set to false. To mitigate this issue, developers should upgrade their Electron applications to the latest stable version or enable the sandbox option for all renderers in their application. This will help to reduce the potential attack surface and ensure a more secure application.

Timeline

Published on: 09/06/2023 21:15:08 UTC
Last modified on: 09/11/2023 19:02:53 UTC