1zilc
commented
1 year ago Thank you for your feedback, but I don't think this is a bug unless the user actively uses --remote-debugging-port to open Fishing Funds. Additionally, based on your steps, I am not able to effectively inspect the console.
Thank you again
Summary:
Thank you for designing the Fishing Funds Desktop Application and making it open source and available. The application adds an event listener that prevents opening new windows, but does not sanitize links before passing them to the user’s system. Additionally, the application does not use an event listener to prevent in-app navigation within the same window.
Platform(s) Affected:
MacOS, Windows, Linux
Steps To Reproduce:
--remote-debugging-port=8315while running the application.localhost:8315. The application can be interacted with via the DevTools protocol.window.location=”https://attacker.com/”. The application window navigates to the third-party site.window.open(“file:///Applications/Emacs.app/Contents/MacOS/Emacs”). An alternative would be to checkwindow.open(“file:///Applications/Safari.app/Contents/MacOS/Safari”)which opens the Safari browser. The application passes the link to the underlying system which opens the executable file if one exists at the path. While this is currently prevented by restricting the links that users can add to the application, it will be useful to add a check before passing the links toshell.openExternal().– Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago