IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.
If your app does ANY of the following, then it is impacted by this issue:
Uses remote
Calls webContents.sendToFrame
Calls event.reply in an IPC message handler
Patches
This has been fixed in the following versions:
9.4.0
10.2.0
11.1.0
12.0.0-beta.9
Workarounds
There are no workarounds for this issue.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.
All current stable versions of Electron are affected.
Patches
This was fixed with #30728, and the following Electron versions contain the fix:
15.0.0-alpha.10
14.0.0
13.3.0
12.1.0
11.5.0
Workarounds
If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.
Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:
This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
6.1.11
For more information
If you have any questions or comments about this advisory:
Apps using both contextIsolation and contextBridge are affected.
This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
For more information
If you have any questions or comments about this advisory:
This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
Non-Impacted Versions
9.0.0-beta.*
For more information
If you have any questions or comments about this advisory:
This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.
All current stable versions of Electron are affected.
Patches
This has been patched and the following Electron versions contain the fix:
17.0.0-alpha.6
16.0.6
15.3.5
14.2.4
13.6.6
Workarounds
Adding this code to your app can workaround the issue.
This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.
Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).
If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.6
15.5.5
Workarounds
Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.
Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.0
15.5.0
Workarounds
There are no workarounds for this issue, please update to a patched version of Electron.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.
Patches
This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:
21.0.0-beta.1
20.0.1
19.0.11
18.3.7
We recommend all apps upgrade to the latest stable version of Electron.
Workarounds
If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Credit
Thanks to user @coolcoolnoworries for reporting this issue.
Release Notes
electron/electron (electron)
### [`v18.3.7`](https://redirect.github.com/electron/electron/releases/tag/v18.3.7): electron v18.3.7
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.6...v18.3.7)
### Release Notes for v18.3.7
#### Fixes
- Fixed WCO not responding to touch events on windows. [#35177](https://redirect.github.com/electron/electron/pull/35177) (Also in [19](https://redirect.github.com/electron/electron/pull/35176), [20](https://redirect.github.com/electron/electron/pull/35174))
- Fixed `webContents.getUserAgent()` incorrectly returning an empty string unless previously set. [#35130](https://redirect.github.com/electron/electron/pull/35130) (Also in [17](https://redirect.github.com/electron/electron/pull/35151), [19](https://redirect.github.com/electron/electron/pull/35132), [20](https://redirect.github.com/electron/electron/pull/35131))
- Fixed an issue in which calling setBounds() after e.preventDefault in a 'will-move' or 'will-resize' event wouldn't change the window's shape until the mouse button was released. [#35082](https://redirect.github.com/electron/electron/pull/35082) (Also in [19](https://redirect.github.com/electron/electron/pull/35083), [20](https://redirect.github.com/electron/electron/pull/35084))
- Fixed context menu not showing all items on macOS when dock is not hidden. [#35198](https://redirect.github.com/electron/electron/pull/35198) (Also in [19](https://redirect.github.com/electron/electron/pull/35199))
- None. [#35171](https://redirect.github.com/electron/electron/pull/35171) (Also in [19](https://redirect.github.com/electron/electron/pull/35172), [20](https://redirect.github.com/electron/electron/pull/35173))
#### Other Changes
- Fixed page size always being restricted to 4k on Linux arm64. [#35184](https://redirect.github.com/electron/electron/pull/35184)
- Security: backported fix for CVE-2022-2478. [#35099](https://redirect.github.com/electron/electron/pull/35099)
- Security: backported fix for chromium:1334864. [#35097](https://redirect.github.com/electron/electron/pull/35097)
### [`v18.3.6`](https://redirect.github.com/electron/electron/releases/tag/v18.3.6): electron v18.3.6
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.5...v18.3.6)
### Release Notes for v18.3.6
#### Fixes
- Fixed a crash when calling `BrowserWindow.setEnabled()`. [#34973](https://redirect.github.com/electron/electron/pull/34973) (Also in [19](https://redirect.github.com/electron/electron/pull/34971), [20](https://redirect.github.com/electron/electron/pull/34972))
- Fixed a potential crash when changing window settings after initializing WCO with an invalid `titleBarStyle`. [#34873](https://redirect.github.com/electron/electron/pull/34873) (Also in [17](https://redirect.github.com/electron/electron/pull/35031), [19](https://redirect.github.com/electron/electron/pull/34874), [20](https://redirect.github.com/electron/electron/pull/34875))
- Fixed alwaysOnTop BrowserWindow option for X11 Linux. [#34911](https://redirect.github.com/electron/electron/pull/34911) (Also in [19](https://redirect.github.com/electron/electron/pull/34912), [20](https://redirect.github.com/electron/electron/pull/34913))
- Fixed an issue where BrowserWindows on macOS were incorrectly marked as resizable. [#34907](https://redirect.github.com/electron/electron/pull/34907) (Also in [19](https://redirect.github.com/electron/electron/pull/34906), [20](https://redirect.github.com/electron/electron/pull/34433))
- Fixed an issue where Windows Control Overlay buttons did not respect maximizable/minimizable/closable states of a BrowserWindow. [#34720](https://redirect.github.com/electron/electron/pull/34720) (Also in [17](https://redirect.github.com/electron/electron/pull/34733), [19](https://redirect.github.com/electron/electron/pull/34722), [20](https://redirect.github.com/electron/electron/pull/34721))
- Fixed an issue where calling `BrowserWindow.setRepresentedFilename` on macOS with `titlebarStyle: 'hiddenInset'` or `titlebarStyle: 'hidden'` inadvertently moves the traffic light location. [#34847](https://redirect.github.com/electron/electron/pull/34847) (Also in [19](https://redirect.github.com/electron/electron/pull/34848), [20](https://redirect.github.com/electron/electron/pull/34849))
- Fixed an issue where some `BrowserWindow`s opened from new links wouldn't properly load URLs. [#34910](https://redirect.github.com/electron/electron/pull/34910) (Also in [19](https://redirect.github.com/electron/electron/pull/34189))
- Fixed an issue where the minimize button with WCO enabled would incorrectly be highlighted in some cases. [#34838](https://redirect.github.com/electron/electron/pull/34838) (Also in [17](https://redirect.github.com/electron/electron/pull/34837), [19](https://redirect.github.com/electron/electron/pull/34839), [20](https://redirect.github.com/electron/electron/pull/34840))
- Fixed an issue with background colors being improperly applied to `BrowserView`s on Windows. [#33478](https://redirect.github.com/electron/electron/pull/33478) (Also in [16](https://redirect.github.com/electron/electron/pull/33546))
- Fixed empty app_id when running under wayland. [#34877](https://redirect.github.com/electron/electron/pull/34877) (Also in [19](https://redirect.github.com/electron/electron/pull/34878), [20](https://redirect.github.com/electron/electron/pull/34879))
- Fixed missing Sec-CH-UA headers and empty navigator.userAgentData. [#34758](https://redirect.github.com/electron/electron/pull/34758) (Also in [17](https://redirect.github.com/electron/electron/pull/34760), [19](https://redirect.github.com/electron/electron/pull/34757), [20](https://redirect.github.com/electron/electron/pull/34524))
- Fixed symbol generation on 32-bit Windows release builds. [#35096](https://redirect.github.com/electron/electron/pull/35096) (Also in [19](https://redirect.github.com/electron/electron/pull/35090), [20](https://redirect.github.com/electron/electron/pull/35091))
- Prevent brief display of "Ozone X11" in window title on Linux. [#34943](https://redirect.github.com/electron/electron/pull/34943)
#### Other Changes
- Backported fix for CVE-2022-2294. [#34882](https://redirect.github.com/electron/electron/pull/34882)
- Security: backported fix for [`1287804`](https://redirect.github.com/electron/electron/commit/1287804). [#35102](https://redirect.github.com/electron/electron/pull/35102)
- Security: backported fix for [`1333333`](https://redirect.github.com/electron/electron/commit/1333333). [#34689](https://redirect.github.com/electron/electron/pull/34689)
- Security: backported fix for [`1335054`](https://redirect.github.com/electron/electron/commit/1335054). [#34687](https://redirect.github.com/electron/electron/pull/34687)
- Security: backported fix for [`1335458`](https://redirect.github.com/electron/electron/commit/1335458). [#34685](https://redirect.github.com/electron/electron/pull/34685)
- Security: backported fix for [`1336014`](https://redirect.github.com/electron/electron/commit/1336014). [#35004](https://redirect.github.com/electron/electron/pull/35004)
- Security: backported fix for [`1339844`](https://redirect.github.com/electron/electron/commit/1339844). [#35002](https://redirect.github.com/electron/electron/pull/35002)
- Security: backported fix for [`1340335`](https://redirect.github.com/electron/electron/commit/1340335). [#35000](https://redirect.github.com/electron/electron/pull/35000)
- Security: backported fix for [`1340654`](https://redirect.github.com/electron/electron/commit/1340654). [#34998](https://redirect.github.com/electron/electron/pull/34998)
- Security: backported fix for CVE-2022-2162. [#34714](https://redirect.github.com/electron/electron/pull/34714)
- Security: backported fix for CVE-2022-2295. [#34881](https://redirect.github.com/electron/electron/pull/34881)
### [`v18.3.5`](https://redirect.github.com/electron/electron/releases/tag/v18.3.5): electron v18.3.5
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.4...v18.3.5)
### Release Notes for v18.3.5
#### Fixes
- Fixed a performance problem in `crashReporter.start()` on macOS. [#34640](https://redirect.github.com/electron/electron/pull/34640) (Also in [17](https://redirect.github.com/electron/electron/pull/34637), [19](https://redirect.github.com/electron/electron/pull/34638), [20](https://redirect.github.com/electron/electron/pull/34639))
- Fixed an error where `setWindowOpenHandler()` would crash if the callback threw an error. [#34627](https://redirect.github.com/electron/electron/pull/34627) (Also in [19](https://redirect.github.com/electron/electron/pull/34546), [20](https://redirect.github.com/electron/electron/pull/34547))
- Fixed an issue where calling `w.setWindowButtonVisibility(true)` immediately after exiting fullscreen fails to show window buttons. [#34673](https://redirect.github.com/electron/electron/pull/34673) (Also in [19](https://redirect.github.com/electron/electron/pull/34674), [20](https://redirect.github.com/electron/electron/pull/34675))
- Fixed an issue where draggable regions were not recalculated when BrowserView bounds changed on Windows. [#34610](https://redirect.github.com/electron/electron/pull/34610) (Also in [19](https://redirect.github.com/electron/electron/pull/34611), [20](https://redirect.github.com/electron/electron/pull/34612))
#### Other Changes
- Backported fix for CVE-2022-2010. [#34540](https://redirect.github.com/electron/electron/pull/34540)
- Fixed an issue where BrowserViews didn't always visually update after call to `setBounds`. [#34641](https://redirect.github.com/electron/electron/pull/34641) (Also in [19](https://redirect.github.com/electron/electron/pull/34642), [20](https://redirect.github.com/electron/electron/pull/34643))
- On Linux, changed the libgdk-pixbuf dependency to be dynamically linked rather than statically linked. [#34601](https://redirect.github.com/electron/electron/pull/34601) (Also in [19](https://redirect.github.com/electron/electron/pull/34602), [20](https://redirect.github.com/electron/electron/pull/34635))
- Security: Backported fix for CVE-2022-1867. [#34631](https://redirect.github.com/electron/electron/pull/34631)
- Security: backported fix for [`1228661`](https://redirect.github.com/electron/electron/commit/1228661). [#34569](https://redirect.github.com/electron/electron/pull/34569)
- Security: backported fix for [`1306751`](https://redirect.github.com/electron/electron/commit/1306751). [#34560](https://redirect.github.com/electron/electron/pull/34560)
- Security: backported fix for [`1314310`](https://redirect.github.com/electron/electron/commit/1314310). [#34558](https://redirect.github.com/electron/electron/pull/34558)
- Security: backported fix for [`1316578`](https://redirect.github.com/electron/electron/commit/1316578). [#34568](https://redirect.github.com/electron/electron/pull/34568)
- Security: backported fix for [`1317673`](https://redirect.github.com/electron/electron/commit/1317673). [#34566](https://redirect.github.com/electron/electron/pull/34566)
- Security: backported fix for [`1318610`](https://redirect.github.com/electron/electron/commit/1318610). [#34556](https://redirect.github.com/electron/electron/pull/34556)
- Security: backported fix for [`1321078`](https://redirect.github.com/electron/electron/commit/1321078). [#34692](https://redirect.github.com/electron/electron/pull/34692)
### [`v18.3.4`](https://redirect.github.com/electron/electron/releases/tag/v18.3.4): electron v18.3.4
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.3...v18.3.4)
### Release Notes for v18.3.4
#### Fixes
- Fixed an issue where normal bounds would not be appropriately updated if the user minimized with the minimize button. [#34485](https://redirect.github.com/electron/electron/pull/34485) (Also in [19](https://redirect.github.com/electron/electron/pull/34484), [20](https://redirect.github.com/electron/electron/pull/34486))
- Fixed an issue where passing `{ name: 'All Files', extensions: ['*'] }` in the `filters` param of open or save dialogs on Linux would disallow choosing files without an extension. [#34518](https://redirect.github.com/electron/electron/pull/34518) (Also in [19](https://redirect.github.com/electron/electron/pull/34517), [20](https://redirect.github.com/electron/electron/pull/34516))
#### Other Changes
- Backported fix for CVE-2022-2011. [#34537](https://redirect.github.com/electron/electron/pull/34537)
- Security: backported fix for [`1227995`](https://redirect.github.com/electron/electron/commit/1227995). [#34562](https://redirect.github.com/electron/electron/pull/34562)
- Security: backported fix for [`1320024`](https://redirect.github.com/electron/electron/commit/1320024). [#34554](https://redirect.github.com/electron/electron/pull/34554)
- Security: backported fix for [`1324864`](https://redirect.github.com/electron/electron/commit/1324864), [`1218100`](https://redirect.github.com/electron/electron/commit/1218100). [#34534](https://redirect.github.com/electron/electron/pull/34534)
### [`v18.3.3`](https://redirect.github.com/electron/electron/releases/tag/v18.3.3): electron v18.3.3
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.2...v18.3.3)
### Release Notes for v18.3.3
#### Fixes
- Fixed a crash when loading a same-origin URL after a render process crash. [#34430](https://redirect.github.com/electron/electron/pull/34430) (Also in [19](https://redirect.github.com/electron/electron/pull/34431), [20](https://redirect.github.com/electron/electron/pull/34432))
- Fixed potential crash in WebFrameMain when performing a cross-origin navigation. [#34415](https://redirect.github.com/electron/electron/pull/34415) (Also in [19](https://redirect.github.com/electron/electron/pull/34416), [20](https://redirect.github.com/electron/electron/pull/34417))
### [`v18.3.2`](https://redirect.github.com/electron/electron/releases/tag/v18.3.2): electron v18.3.2
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.1...v18.3.2)
### Release Notes for v18.3.2
#### Fixes
- Fixed an issue where pressing escape would not un-fullscreen on Windows or Linux in some circumstances. [#34361](https://redirect.github.com/electron/electron/pull/34361) (Also in [19](https://redirect.github.com/electron/electron/pull/34359))
- Fixed an issue where zombie windows can be created if `window.close()` is called during a fullscreen transition. [#34392](https://redirect.github.com/electron/electron/pull/34392) (Also in [17](https://redirect.github.com/electron/electron/pull/34390), [19](https://redirect.github.com/electron/electron/pull/34391), [20](https://redirect.github.com/electron/electron/pull/34393))
#### Other Changes
- Enable 16k page sizes support for linux arm64. [#34385](https://redirect.github.com/electron/electron/pull/34385)
### [`v18.3.1`](https://redirect.github.com/electron/electron/releases/tag/v18.3.1): electron v18.3.1
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.0...v18.3.1)
### Release Notes for v18.3.1
#### Fixes
- Fixed crash when calling navigator.serial.getPorts(). [#34327](https://redirect.github.com/electron/electron/pull/34327) (Also in [17](https://redirect.github.com/electron/electron/pull/34328), [19](https://redirect.github.com/electron/electron/pull/34323))
#### Other Changes
- Added a TRACE call named `crash_reporter::Start` under the `electron` category for `crash_reporter::Start()`. [#34325](https://redirect.github.com/electron/electron/pull/34325) (Also in [17](https://redirect.github.com/electron/electron/pull/34324), [19](https://redirect.github.com/electron/electron/pull/34326))
### [`v18.3.0`](https://redirect.github.com/electron/electron/releases/tag/v18.3.0): electron v18.3.0
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.2.4...v18.3.0)
### Release Notes for v18.3.0
#### Fixes
- Fixed a crash when calling `loadExtension` on an extension directory that's missing a manifest file. [#34304](https://redirect.github.com/electron/electron/pull/34304) (Also in [16](https://redirect.github.com/electron/electron/pull/34192), [17](https://redirect.github.com/electron/electron/pull/34193), [19](https://redirect.github.com/electron/electron/pull/34303))
- Fixed an issue where bounds changes were incorrectly delayed in the case where a window was moved or resized and `event.preventDefault` was called in either `will-resize` or `will-move` on Windows. [#34284](https://redirect.github.com/electron/electron/pull/34284) (Also in [16](https://redirect.github.com/electron/electron/pull/34282), [17](https://redirect.github.com/electron/electron/pull/34283), [19](https://redirect.github.com/electron/electron/pull/34285))
- Fixed an issue where running second instances of the same application would cause a deadlock on Windows. [#34295](https://redirect.github.com/electron/electron/pull/34295) (Also in [19](https://redirect.github.com/electron/electron/pull/34312))
- Fixed potential crash with WebFrameMain when navigating between cross-origin websites. [#34293](https://redirect.github.com/electron/electron/pull/34293) (Also in [19](https://redirect.github.com/electron/electron/pull/34294))
- Fixed service worker registration with custom protocols. [#34291](https://redirect.github.com/electron/electron/pull/34291) (Also in [19](https://redirect.github.com/electron/electron/pull/34315))
### [`v18.2.4`](https://redirect.github.com/electron/electron/releases/tag/v18.2.4): electron v18.2.4
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.2.3...v18.2.4)
### Release Notes for v18.2.4
#### Fixes
- Fixed an issue where tray items wouldn't highlight in some scenarios on macOS. [#34207](https://redirect.github.com/electron/electron/pull/34207) (Also in [16](https://redirect.github.com/electron/electron/pull/34205), [17](https://redirect.github.com/electron/electron/pull/34206), [19](https://redirect.github.com/electron/electron/pull/34208))
- Fixed crash on startup on old Ubuntu versions. [#34155](https://redirect.github.com/electron/electron/pull/34155)
- SIGUSR1 is no longer handled when the `node_cli_inspect` fuse is disabled. [#34180](https://redirect.github.com/electron/electron/pull/34180) (Also in [16](https://redirect.github.com/electron/electron/pull/34182), [17](https://redirect.github.com/electron/electron/pull/34181))
#### Other Changes
- Backported fix for chromium:1320614. [#34202](https://redirect.github.com/electron/electron/pull/34202)
- Updated Chromium to 100.0.4896.160. [#34171](https://redirect.github.com/electron/electron/pull/34171)
### [`v18.2.3`](https://redirect.github.com/electron/electron/releases/tag/v18.2.3): electron v18.2.3
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.2.2...v18.2.3)
### Release Notes for v18.2.3
#### Fixes
- Fixed a crash in `safeStorage` on Linux. [#34148](https://redirect.github.com/electron/electron/pull/34148) (Also in [19](https://redirect.github.com/electron/electron/pull/34147))
- Fixed building node modules with Visual Studio 2017. [#34110](https://redirect.github.com/electron/electron/pull/34110) (Also in [19](https://redirect.github.com/electron/electron/pull/34164))
### [`v18.2.2`](https://redirect.github.com/electron/electron/releases/tag/v18.2.2): electron v18.2.2
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.2.0...v18.2.2)
### Release Notes for v18.2.2
#### Fixes
- Fixed a crash on Windows when opening apps in multiple, separate user sessions. [#34161](https://redirect.github.com/electron/electron/pull/34161) (Also in [19](https://redirect.github.com/electron/electron/pull/34160))
- Fixed an OSR crash happening when input select items were rendered. [#34092](https://redirect.github.com/electron/electron/pull/34092) (Also in [17](https://redirect.github.com/electron/electron/pull/34091), [19](https://redirect.github.com/electron/electron/pull/34093))
- Fixed an issue where calling `SetLoginItemSettings()` could potentially cause network volumes to be incorrectly mounted. [#34106](https://redirect.github.com/electron/electron/pull/34106) (Also in [17](https://redirect.github.com/electron/electron/pull/34107), [19](https://redirect.github.com/electron/electron/pull/34108))
- Fixed crash on startup due to missing gtk symbol on older distros. [#34150](https://redirect.github.com/electron/electron/pull/34150) (Also in [19](https://redirect.github.com/electron/electron/pull/34151))
#### Other Changes
- Backported fix for CVE-2022-1485. [#34052](https://redirect.github.com/electron/electron/pull/34052)
- Backported fix for CVE-2022-1497. [#34072](https://redirect.github.com/electron/electron/pull/34072)
### [`v18.2.0`](https://redirect.github.com/electron/electron/releases/tag/v18.2.0): electron v18.2.0
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.1.0...v18.2.0)
### Release Notes for v18.2.0
#### Features
- Fixed an issue where the PDF Viewer would fail if a user attempted to reload. [#33711](https://redirect.github.com/electron/electron/pull/33711) (Also in [19](https://redirect.github.com/electron/electron/pull/33712))
#### Fixes
- Fixed an issue with the `app.requestSingleInstanceLock()` API where it would sometimes hang. [#33778](https://redirect.github.com/electron/electron/pull/33778)
#### Other Changes
- Fixed child_process.spawn ENOENT error with cwd option. [#33871](https://redirect.github.com/electron/electron/pull/33871) (Also in [16](https://redirect.github.com/electron/electron/pull/33869), [17](https://redirect.github.com/electron/electron/pull/33870), [19](https://redirect.github.com/electron/electron/pull/33872))
- Updated Chromium to 100.0.4896.143. [#33948](https://redirect.github.com/electron/electron/pull/33948)
### [`v18.1.0`](https://redirect.github.com/electron/electron/releases/tag/v18.1.0): electron v18.1.0
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.4...v18.1.0)
### Release Notes for v18.1.0
#### Features
- Enabled `systemPreferences.subscribe{Local|Workspace}Notification` to take a `null` value for the `event` parameter. [#33771](https://redirect.github.com/electron/electron/pull/33771)
#### Fixes
- Fixed crash when img without `alt` is shown with accessibility features enabled. [#33843](https://redirect.github.com/electron/electron/pull/33843) (Also in [19](https://redirect.github.com/electron/electron/pull/33841))
- Fixed crash when opening gtk file dialogs due to mismatched versions. [#33812](https://redirect.github.com/electron/electron/pull/33812) (Also in [19](https://redirect.github.com/electron/electron/pull/33813))
#### Other Changes
- Updated Chromium to 100.0.4896.127. [#33730](https://redirect.github.com/electron/electron/pull/33730)
### [`v18.0.4`](https://redirect.github.com/electron/electron/releases/tag/v18.0.4): electron v18.0.4
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.3...v18.0.4)
### Release Notes for v18.0.4
#### Fixes
- Apply senderFrame details to ipcMain port event. [#33782](https://redirect.github.com/electron/electron/pull/33782) (Also in [16](https://redirect.github.com/electron/electron/pull/33780), [17](https://redirect.github.com/electron/electron/pull/33781))
- Fixed an issue where `Escape` keyboard events would not be properly propagated to the parent window after entering fullscreen and then exiting it again on Windows. [#33787](https://redirect.github.com/electron/electron/pull/33787)
- Fixed the built-in PDF renderer. [#33664](https://redirect.github.com/electron/electron/pull/33664)
- `shell.openExternal()` now reports more detailed errors on Windows. [#33659](https://redirect.github.com/electron/electron/pull/33659) (Also in [15](https://redirect.github.com/electron/electron/pull/33656), [16](https://redirect.github.com/electron/electron/pull/33657), [17](https://redirect.github.com/electron/electron/pull/33658), [19](https://redirect.github.com/electron/electron/pull/33660))
- `shell.openExternal()` now reports more detailed errors on Windows. [#33705](https://redirect.github.com/electron/electron/pull/33705) (Also in [15](https://redirect.github.com/electron/electron/pull/33656), [16](https://redirect.github.com/electron/electron/pull/33657), [17](https://redirect.github.com/electron/electron/pull/33658), [19](https://redirect.github.com/electron/electron/pull/33660))
#### Other Changes
- Backported fix for chromium:1297731, b/218211225. [#33708](https://redirect.github.com/electron/electron/pull/33708)
### [`v18.0.3`](https://redirect.github.com/electron/electron/releases/tag/v18.0.3): electron v18.0.3
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.2...v18.0.3)
### Release Notes for v18.0.3
#### Other Changes
- Updated Chromium to 100.0.4896.75. [#33619](https://redirect.github.com/electron/electron/pull/33619)
### [`v18.0.2`](https://redirect.github.com/electron/electron/releases/tag/v18.0.2): electron v18.0.2
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.1...v18.0.2)
### Release Notes for v18.0.2
#### Fixes
- Fixed a potential crash in `Browser.getFocusedWindow()` when child windows are closed. [#33538](https://redirect.github.com/electron/electron/pull/33538) (Also in [17](https://redirect.github.com/electron/electron/pull/33539))
- Fixed an issue where the the window bounds would incorrectly change if `BrowserWindow.unmaximize` was called on a window whose user bounds were maximized. [#33550](https://redirect.github.com/electron/electron/pull/33550) (Also in [16](https://redirect.github.com/electron/electron/pull/33552), [17](https://redirect.github.com/electron/electron/pull/33551))
- Fixed behavior of BrowserWindow.maximize on macOS for not shown windows. [#33537](https://redirect.github.com/electron/electron/pull/33537) (Also in [15](https://redirect.github.com/electron/electron/pull/33523), [16](https://redirect.github.com/electron/electron/pull/33535))
- Fixed incorrect return value of `app.requestSingleInstanceLock()` when setting non-existent user data folder. [#33592](https://redirect.github.com/electron/electron/pull/33592) (Also in [16](https://redirect.github.com/electron/electron/pull/33590), [17](https://redirect.github.com/electron/electron/pull/33591), [19](https://redirect.github.com/electron/electron/pull/33593))
- Fixed issues with frameless window animations and styling. [#33610](https://redirect.github.com/electron/electron/pull/33610) (Also in [19](https://redirect.github.com/electron/electron/pull/33609))
- Fixed potential crash while generating accessibility trees for certain images. [#33616](https://redirect.github.com/electron/electron/pull/33616) (Also in [19](https://redirect.github.com/electron/electron/pull/33617))
### [`v18.0.1`](https://redirect.github.com/electron/electron/releases/tag/v18.0.1): electron v18.0.1
[Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.0...v18.0.1)
### Release Notes for v18.0.1
#### Fixes
- Fixed an issue where Pointer Lock behavior could not be properly exited. [#32828](https://redirect.github.com/electron/electron/pull/32828)
- Fixed crash when WindowButtonsProxy references cleared NSWindow. [#33490](https://redirect.github.com/electron/electron/pull/33490) (Also in [15](https://redirect.github.com/electron/electron/pull/33487), [16](https://redirect.github.com/electron/electron/pull/33489), [17](https://redirect.github.com/electron/electron/pull/33488))
- Fixed crash when running under Wayland caused by calling X11 functions. [#33498](https://redirect.github.com/electron/electron/pull/33498) (Also in [17](https://redirect.github.com/electron/electron/pull/33499))
#### Other Changes
- Updated Chromium to 100.0.4896.60. [#33501](https://redirect.github.com/electron/electron/pull/33501)
### [`v18.0.0`](https://redirect.github.com/electron/electron/releases/tag/v18.0.0): electron v18.0.0
[Compare Source](https://redirect.github.com/electron/electron/compare/v17.4.11...v18.0.0)
### Release Notes for v18.0.0
#### Stack Upgrades
- Chromium 100.0.4896.56
- [New in 100](https://developer.chrome.com/blog/new-in-chrome-100/)
- [New in 99](https://developer.chrome.com/blog/new-in-chrome-99/)
- Node v16.13.2
- [v16.13.2 release notes](https://nodejs.org/en/blog/release/v16.13.2/)
- [v16.13.1 release notes](https://nodejs.org/en/blog/release/v16.13.1/)
- V8 v10.0
- [V8 10.0 blog post](https://v8.dev/blog/v8-release-100)
- [V8 9.9 blog post](https://v8.dev/blog/v8-release-99)
#### Breaking Changes
- Removed the old `BrowserWindowProxy`-based implementation of `window.open`. This also removes the `nativeWindowOpen` option from `webPreferences`. [#29405](https://redirect.github.com/electron/electron/pull/29405)
#### Features
##### Additions
- Added 'focus' and 'blur' events to `WebContents`. [#25873](https://redirect.github.com/electron/electron/pull/25873)
- Added `BrowserWindow` method to change the button color, symbol color, and height of a window with WCO enabled. [#33440](https://redirect.github.com/electron/electron/pull/33440)
- Added `nativeTheme.inForcedColorsMode` API to allow detecting forced color mode. [#33357](https://redirect.github.com/electron/electron/pull/33357) (Also in [15](https://redirect.github.com/electron/electron/pull/33360), [16](https://redirect.github.com/electron/electron/pull/33359), [17](https://redirect.github.com/electron/electron/pull/33358))
- Added Substitutions menu roles on macOS: `showSubstitutions`, `toggleSmartQuotes`, `toggleSmartDashes`, `toggleTextReplacement`. [#32024](https://redirect.github.com/electron/electron/pull/32024)
- Added `first-instance-ack` event to the `app.requestSingleInstanceLock()` flow, so that users can pass some data back from the second instance to the first instance. [#31460](https://redirect.github.com/electron/electron/pull/31460)
- Added `height` option for Windows Control Overlay. [#31222](https://redirect.github.com/electron/electron/pull/31222) (Also in [15](https://redirect.github.com/electron/electron/pull/33064), [16](https://redirect.github.com/electron/electron/pull/33061), [17](https://redirect.github.com/electron/electron/pull/32939))
- Added `ses.setCodeCachePath()` API for setting code cache directory. [#33286](https://redirect.github.com/electron/electron/pull/33286) (Also in [17](https://redirect.github.com/electron/electron/pull/33285))
- Added rawHeaders to IncomingMessage. [#31853](https://redirect.github.com/electron/electron/pull/31853)
- Added support for more color formats in `setBackgroundColor`. [#33364](https://redirect.github.com/electron/electron/pull/33364)
- Added warning that preload scripts will be sandboxed by default beginning in Electron 20. [#33203](https://redirect.github.com/electron/electron/pull/33203)
- Support obsolete blowfish ciphers bf-{cbc,cfb,ecb} through the Node.js crypto API. [#32356](https://redirect.github.com/electron/electron/pull/32356) (Also in [17](https://redirect.github.com/electron/electron/pull/32439))
#### Fixes
- Fixed a V8 crash that could happen randomly in non-sandboxed renderer processes. [#33260](https://redirect.github.com/electron/electron/pull/33260)
- Fixed a bug where `BrowserWindow.fromWebContents` would return `undefined` during the `browser-window-created` event. [#33316](https://redirect.github.com/electron/electron/pull/33316)
- Fixed an issue where First Party Sets were not correctly loaded on app launch. [#33345](https://redirect.github.com/electron/electron/pull/33345)
- Fixed an issue where new bounds set via `setBounds` was not correctly applied if the user was moving or resizing the window concurrently on Windows. [#33375](https://redirect.github.com/electron/electron/pull/33375)
- Fixed an issue where pages would not properly print on macOS due to a rendering failure. [#32813](https://redirect.github.com/electron/electron/pull/32813)
- Fix: initialize asar support in worker threads. [#33396](https://redirect.github.com/electron/electron/pull/33396)
- Fixed the IncrementCapturerCount regression introduced by 13.0.0-beta.21. [#33371](https://redirect.github.com/electron/electron/pull/33371)
##### Also in earlier versions....
- Allowed specifying x64 arch on Mac Rosetta via `npm_config_arch`. [#32266](https://redirect.github.com/electron/electron/pull/32266) (Also in [15](https://redirect.github.com/electron/electron/pull/32380), [16](https://redirect.github.com/electron/electron/pull/32381), [17](https://redirect.github.com/electron/electron/pull/32382))
- Assertion failure happening in the `showSaveDialogSync()` code path has been fixed. (Fixes [#31997](https://redirect.github.com/electron/electron/issues/31997)). [#32049](https://redirect.github.com/electron/electron/pull/32049) (Also in [14](https://redirect.github.com/electron/electron/pull/32080), [15](https://redirect.github.com/electron/electron/pull/32081), [16](https://redirect.github.com/electron/electron/pull/32082), [17](https://redirect.github.com/electron/electron/pull/32083))
- Bug fixed for registering protocol in windows which used to set invalid command if the execution path included space. [#32220](https://redirect.github.com/electron/electron/pull/32220) (Also in [14](https://redirect.github.com/electron/electron/pull/32328), [15](https://redirect.github.com/electron/electron/pull/32330), [16](https://redirect.github.com/electron/electron/pull/32331), [17](https://redirect.github.com/electron/electron/pull/32329))
- Fire 'show' event when a BrowserWindow is shown via maximize(). [#33214](https://redirect.github.com/electron/electron/pull/33214) (Also in [16](https://redirect.github.com/electron/electron/pull/33212), [17](https://redirect.github.com/electron/electron/pull/33213))
- Fixed BrowserWindow.showInactive restoring a maximized window to non-maximized on Windows. [#33022](https://redirect.github.com/electron/electron/pull/33022) (Also in [16](https://redirect.github.com/electron/electron/pull/33020), [17](https://redirect.github.com/electron/electron/pull/33021))
- Fixed VoiceOver not reading typed words correctly in MAS builds. [#32543](https://redirect.github.com/electron/electron/pull/32543) (Also in [17](https://redirect.github.com/electron/electron/pull/32567))
- Fixed `maxWidth` not working in BrowserWindow constructor options. [#32628](https://redirect.github.com/electron/electron/pull/32628) (Also in [17](https://redirect.github.com/electron/electron/pull/32637))
- Fixed `window.open` not overriding parent's `webPreferences`. [#32057](https://redirect.github.com/electron/electron/pull/32057) (Also in [15](https://redirect.github.com/electron/electron/pull/32109), [16](https://redirect.github.com/electron/electron/pull/32108), [17](https://redirect.github.com/electron/electron/pull/32107))
- Fixed a crash caused by app.getLocaleCountryCode(). [#32256](https://redirect.github.com/electron/electron/pull/32256) (Also in [15](https://redirect.github.com/electron/electron/pull/32332), [16](https://redirect.github.com/electron/electron/pull/32321), [17](https://redirect.github.com/electron/electron/pull/32322))
- Fixed a crash that occurred when a user attempted to print a document either with `window.print()`, the print button in the PDF viewer, or with `BrowserWindow.webContents()` and clicked cancel in the resulting print dialog. [#32632](https://redirect.github.com/electron/electron/pull/32632) (Also in [17](https://redirect.github.com/electron/electron/pull/33015))
- Fixed a crash that occurred when user attempted to download an edited PDF. [#32512](https://redirect.github.com/electron/electron/pull/32512) (Also in [15](https://redirect.github.com/electron/electron/pull/32537), [16](https://redirect.github.com/electron/electron/pull/32538), [17](https://redirect.github.com/electron/electron/pull/32539))
- Fixed a crash when starting VoiceOver on macOS. [#32564](https://redirect.github.com/electron/electron/pull/32564) (Also in [17](https://redirect.github.com/electron/electron/pull/32578))
- Fixed a network service crash that could occur when using setCertificateVerifyProc. [#33253](https://redirect.github.com/electron/electron/pull/33253) (Also in [17](https://redirect.github.com/electron/electron/pull/33254))
- Fixed a potential crash in v8 by using allocation type: kOld in v8 ScriptOrModule legacy lifetime. [#32339](https://redirect.github.com/electron/electron/pull/32339) (Also in [17](https://redirect.github.com/electron/electron/pull/32355))
- Fixed a potential crash when importing media files or custom file types. [#31881](https://redirect.github.com/electron/electron/pull/31881) (Also in [16](https://redirect.github.com/electron/electron/pull/31883), [17](https://redirect.github.com/electron/electron/pull/31884))
- Fixed a potential issue when setting backgroundColor on `BrowserView`s. [#31863](https://redirect.github.com/electron/electron/pull/31863) (Also in [14](https://redirect.github.com/electron/electron/pull/31945), [15](https://redirect.github.com/electron/electron/pull/31946), [16](https://redirect.github.com/electron/electron/pull/31947), [17](https://redirect.github.com/electron/electron/pull/31948))
- Fixed an issue that the `alert()` dialog title is corrupted. [#32434](https://redirect.github.com/electron/electron/pull/32434) (Also in [14](https://redirect.github.com/electron/electron/pull/32467), [15](https://redirect.github.com/electron/electron/pull/32468), [16](https://redirect.github.com/electron/electron/pull/32470), [17](https://redirect.github.com/electron/electron/pull/32469))
- Fixed an issue where BrowserView layout bounds where limited to it's visible bounds. [#33399](https://redirect.github.com/electron/electron/pull/33399) (Also in [17](https://redirect.github.com/electron/electron/pull/33398))
- Fixed an issue where Chrom DevTools settings didn't persist between loads. [#33206](https://redirect.github.com/electron/electron/pull/33206) (Also in [17](https://redirect.github.com/electron/electron/pull/33273))
- Fixed an issue where `alternateImage`s did not work properly on macOS. [#33107](https://redirect.github.com/electron/electron/pull/33107) (Also in [15](https://redirect.github.com/electron/electron/pull/33104), [16](https://redirect.github.com/electron/electron/pull/33106), [17](https://redirect.github.com/electron/electron/pull/33105))
- Fixed an issue where `ipcRenderer.postMessage` would throw errors when the `transfer` argument was not passed. [#32433](https://redirect.github.com/electron/electron/pull/32433) (Also in [14](https://redirect.github.com/electron/electron/pull/32457), [15](https://redirect.github.com/electron/electron/pull/32458), [16](https://redirect.github.com/electron/electron/pull/32460), [17](https://redirect.github.com/electron/electron/pull/32459))
- Fixed an issue where `webContents.openDevTools({ mode })` did not work for certain dock positions. [#32946](https://redirect.github.com/electron/electron/pull/32946) (Also in [17](https://redirect.github.com/electron/electron/pull/32945))
- Fixed an issue where `webContents.savePage` failed when passing a relative path instead of an absolute one. [#33019](https://redirect.github.com/electron/electron/pull/33019) (Also in [15](https://redirect.github.com/electron/electron/pull/33018), [16](https://redirect.github.com/electron/electron/pull/33017), [17](https://redirect.github.com/electron/electron/pull/33016))
- Fixed an issue where adding/removing display changes the BrowserWindow size. [#33250](https://redirect.github.com/electron/electron/pull/33250) (Also in [14](https://redirect.github.com/electron/electron/pull/33247), [15](https://redirect.github.com/electron/electron/pull/33248), [16](https://redirect.github.com/electron/electron/pull/33249), [17](https://redirect.github.com/electron/electron/pull/33251))
- Fixed an issue where calling screen capture on macOS does not properly release underlying OS capture mechanisms. [#32435](https://redirect.github.com/electron/electron/pull/32435) (Also in [17](https://redirect.github.com/electron/electron/pull/32464))
- Fixed an issue where clicking "Open in Containing Folder" in the Sources tab in Devtools caused a crash. [#33197](https://redirect.github.com/electron/electron/pull/33197) (Also in [16](https://redirect.github.com/electron/electron/pull/33313), [17](https://redirect.github.com/electron/electron/pull/33196))
- Fixed an issue where frameless vibrant windows would not show transparency correctly on macOS. [#32593](https://redirect.github.com/electron/electron/pull/32593) (Also in [16](https://redirect.github.com/electron/electron/pull/32648), [17](https://redirect.github.com/electron/electron/pull/32649))
- Fixed an issue where frameless windows on Windows would incorrectly show a small frame during the loading process. [#32714](https://redirect.github.com/electron/electron/pull/32714) (Also in [14](https://redirect.github.com/electron/electron/pull/32709), [15](https://redirect.github.com/electron/electron/pull/32708), [16](https://redirect.github.com/electron/electron/pull/32710), [17](https://redirect.github.com/electron/electron/pull/32707))
- Fixed an issue where if `backgroundColor` was set to `undefined`, vibrancy failed to work and the `backgroundColor` would show up as white. [#32517](https://redirect.github.com/electron/electron/pull/32517) (Also in [16](https://redirect.github.com/electron/electron/pull/32654), [17](https://redirect.github.com/electron/electron/pull/32653))
- Fixed an issue where setting window `maxHeight` or `maxWidth` made it so the width and height could no longer be resized. [#33119](https://redirect.github.com/electron/electron/pull/33119) (Also in [17](https://redirect.github.com/electron/electron/pull/33118))
- Fixed an issue where the 'maximize' and 'unmaximize' events didn't fire properly on linux. [#32441](https://redirect.github.com/electron/electron/pull/32441) (Also in [14](https://redirect.github.com/electron/electron/pull/32499), [15](https://redirect.github.com/electron/electron/pull/32498), [16](https://redirect.github.com/electron/electron/pull/32497), [17](https://redirect.github.com/electron/electron/pull/32492))
- Fixed an issue where the Tray could get garbage collected incorrectly under some circumstances. [#33074](https://redirect.github.com/electron/electron/pull/33074) (Also in [15](https://redirect.github.com/electron/electron/pull/33077), [16](https://redirect.github.com/electron/electron/pull/33075), [17](https://redirect.github.com/electron/electron/pull/33076))
- Fixed an issue with transparent windows failing to fire the `maximize` and `unmaximize` events on Windows. [#32643](https://redirect.github.com/electron/electron/pull/32643) (Also in [17](https://redirect.github.com/electron/electron/pull/32690))
- Fixed an occasional crash on Mac when spawning a child process. [#33117](https://redirect.github.com/electron/electron/pull/33117) (Also in [17](https://redirect.github.com/electron/electron/pull/33116))
- Fixed aspect ratio resize for frameless windows on macOS. [#32287](https://redirect.github.com/electron/electron/pull/32287) (Also in [15](https://redirect.github.com/electron/electron/pull/32445), [16](https://redirect.github.com/electron/electron/pull/32446), [17](https://redirect.github.com/electron/electron/pull/32447))
- Fixed broken event loop in renderer process when process reuse is enabled on windows platform. [#33361](https://redirect.github.com/electron/electron/pull/33361) (Also in [16](https://redirect.github.com/electron/electron/pull/33363), [17](https://redirect.github.com/electron/electron/pull/33362))
- Fixed broken transparency option in offscreen window rendering. [#33053](https://redirect.github.com/electron/electron/pull/33053) (Also in [16](https://redirect.github.com/electron/electron/pull/33051), [17](https://redi
This PR contains the following updates:
2.0.18
->18.3.7
GitHub Vulnerability Alerts
CVE-2020-26272
Impact
IPC messages sent from the main process to a subframe in the renderer process, through
webContents.sendToFrame
,event.reply
or when using theremote
module, can in some cases be delivered to the wrong frame.If your app does ANY of the following, then it is impacted by this issue:
remote
webContents.sendToFrame
event.reply
in an IPC message handlerPatches
This has been fixed in the following versions:
Workarounds
There are no workarounds for this issue.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
CVE-2021-39184
Impact
This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.
All current stable versions of Electron are affected.
Patches
This was fixed with #30728, and the following Electron versions contain the fix:
Workarounds
If your app enables
contextIsolation
, this vulnerability is significantly more difficult for an attacker to exploit.Further, if your app does not depend on the
createThumbnailFromPath
API, then you can simply disable the functionality. In the main process, before the 'ready' event:For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
CVE-2020-15096
Impact
Apps using
contextIsolation
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
6.1.11
For more information
If you have any questions or comments about this advisory:
CVE-2020-4075
Impact
The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.
Workarounds
Ensure you are calling
event.preventDefault()
on allnew-window
events where theurl
oroptions
is not something you expect.Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
For more information
If you have any questions or comments about this advisory:
CVE-2020-4077
Impact
Apps using both
contextIsolation
andcontextBridge
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
For more information
If you have any questions or comments about this advisory:
CVE-2020-4076
Impact
Apps using
contextIsolation
are affected.This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Workarounds
There are no app-side workarounds, you must update your Electron version to be protected.
Fixed Versions
9.0.0-beta.21
8.2.4
7.2.4
Non-Impacted Versions
9.0.0-beta.*
For more information
If you have any questions or comments about this advisory:
CVE-2022-21718
Impact
This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom
select-bluetooth-device
event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.All current stable versions of Electron are affected.
Patches
This has been patched and the following Electron versions contain the fix:
17.0.0-alpha.6
16.0.6
15.3.5
14.2.4
13.6.6
Workarounds
Adding this code to your app can workaround the issue.
For more information If you have any questions or comments about this advisory, email us at security@electronjs.org.
CVE-2022-29247
Impact
This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with
nodeIntegrationInSubFrames
enabled which in turn allows effective access toipcRenderer
.Please note the misleadingly named
nodeIntegrationInSubFrames
option does not implicitly grant Node.js access rather it depends on the existingsandbox
setting. If your application is sandboxed thennodeIntegrationInSubFrames
just gives access to the sandboxed renderer APIs (which includesipcRenderer
).If your application then additionally exposes IPC messages without IPC
senderFrame
validation that perform privileged actions or return confidential data this access toipcRenderer
can in turn compromise your application / user even with the sandbox enabled.Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.6
15.5.5
Workarounds
Ensure that all IPC message handlers appropriately validate
senderFrame
as per our security tutorial here.For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
CVE-2022-29257
Impact
This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.
Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.6
17.2.0
16.2.0
15.5.0
Workarounds
There are no workarounds for this issue, please update to a patched version of Electron.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
CVE-2022-36077
Impact
When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as
file://some.website.com/
, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.Patches
This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:
We recommend all apps upgrade to the latest stable version of Electron.
Workarounds
If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the
WebContents.on('will-redirect')
event, for all WebContents:For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Credit
Thanks to user @coolcoolnoworries for reporting this issue.
Release Notes
electron/electron (electron)
### [`v18.3.7`](https://redirect.github.com/electron/electron/releases/tag/v18.3.7): electron v18.3.7 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.6...v18.3.7) ### Release Notes for v18.3.7 #### Fixes - Fixed WCO not responding to touch events on windows. [#35177](https://redirect.github.com/electron/electron/pull/35177) (Also in [19](https://redirect.github.com/electron/electron/pull/35176), [20](https://redirect.github.com/electron/electron/pull/35174)) - Fixed `webContents.getUserAgent()` incorrectly returning an empty string unless previously set. [#35130](https://redirect.github.com/electron/electron/pull/35130) (Also in [17](https://redirect.github.com/electron/electron/pull/35151), [19](https://redirect.github.com/electron/electron/pull/35132), [20](https://redirect.github.com/electron/electron/pull/35131)) - Fixed an issue in which calling setBounds() after e.preventDefault in a 'will-move' or 'will-resize' event wouldn't change the window's shape until the mouse button was released. [#35082](https://redirect.github.com/electron/electron/pull/35082) (Also in [19](https://redirect.github.com/electron/electron/pull/35083), [20](https://redirect.github.com/electron/electron/pull/35084)) - Fixed context menu not showing all items on macOS when dock is not hidden. [#35198](https://redirect.github.com/electron/electron/pull/35198) (Also in [19](https://redirect.github.com/electron/electron/pull/35199)) - None. [#35171](https://redirect.github.com/electron/electron/pull/35171) (Also in [19](https://redirect.github.com/electron/electron/pull/35172), [20](https://redirect.github.com/electron/electron/pull/35173)) #### Other Changes - Fixed page size always being restricted to 4k on Linux arm64. [#35184](https://redirect.github.com/electron/electron/pull/35184) - Security: backported fix for CVE-2022-2478. [#35099](https://redirect.github.com/electron/electron/pull/35099) - Security: backported fix for chromium:1334864. [#35097](https://redirect.github.com/electron/electron/pull/35097) ### [`v18.3.6`](https://redirect.github.com/electron/electron/releases/tag/v18.3.6): electron v18.3.6 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.5...v18.3.6) ### Release Notes for v18.3.6 #### Fixes - Fixed a crash when calling `BrowserWindow.setEnabled()`. [#34973](https://redirect.github.com/electron/electron/pull/34973) (Also in [19](https://redirect.github.com/electron/electron/pull/34971), [20](https://redirect.github.com/electron/electron/pull/34972)) - Fixed a potential crash when changing window settings after initializing WCO with an invalid `titleBarStyle`. [#34873](https://redirect.github.com/electron/electron/pull/34873) (Also in [17](https://redirect.github.com/electron/electron/pull/35031), [19](https://redirect.github.com/electron/electron/pull/34874), [20](https://redirect.github.com/electron/electron/pull/34875)) - Fixed alwaysOnTop BrowserWindow option for X11 Linux. [#34911](https://redirect.github.com/electron/electron/pull/34911) (Also in [19](https://redirect.github.com/electron/electron/pull/34912), [20](https://redirect.github.com/electron/electron/pull/34913)) - Fixed an issue where BrowserWindows on macOS were incorrectly marked as resizable. [#34907](https://redirect.github.com/electron/electron/pull/34907) (Also in [19](https://redirect.github.com/electron/electron/pull/34906), [20](https://redirect.github.com/electron/electron/pull/34433)) - Fixed an issue where Windows Control Overlay buttons did not respect maximizable/minimizable/closable states of a BrowserWindow. [#34720](https://redirect.github.com/electron/electron/pull/34720) (Also in [17](https://redirect.github.com/electron/electron/pull/34733), [19](https://redirect.github.com/electron/electron/pull/34722), [20](https://redirect.github.com/electron/electron/pull/34721)) - Fixed an issue where calling `BrowserWindow.setRepresentedFilename` on macOS with `titlebarStyle: 'hiddenInset'` or `titlebarStyle: 'hidden'` inadvertently moves the traffic light location. [#34847](https://redirect.github.com/electron/electron/pull/34847) (Also in [19](https://redirect.github.com/electron/electron/pull/34848), [20](https://redirect.github.com/electron/electron/pull/34849)) - Fixed an issue where some `BrowserWindow`s opened from new links wouldn't properly load URLs. [#34910](https://redirect.github.com/electron/electron/pull/34910) (Also in [19](https://redirect.github.com/electron/electron/pull/34189)) - Fixed an issue where the minimize button with WCO enabled would incorrectly be highlighted in some cases. [#34838](https://redirect.github.com/electron/electron/pull/34838) (Also in [17](https://redirect.github.com/electron/electron/pull/34837), [19](https://redirect.github.com/electron/electron/pull/34839), [20](https://redirect.github.com/electron/electron/pull/34840)) - Fixed an issue with background colors being improperly applied to `BrowserView`s on Windows. [#33478](https://redirect.github.com/electron/electron/pull/33478) (Also in [16](https://redirect.github.com/electron/electron/pull/33546)) - Fixed empty app_id when running under wayland. [#34877](https://redirect.github.com/electron/electron/pull/34877) (Also in [19](https://redirect.github.com/electron/electron/pull/34878), [20](https://redirect.github.com/electron/electron/pull/34879)) - Fixed missing Sec-CH-UA headers and empty navigator.userAgentData. [#34758](https://redirect.github.com/electron/electron/pull/34758) (Also in [17](https://redirect.github.com/electron/electron/pull/34760), [19](https://redirect.github.com/electron/electron/pull/34757), [20](https://redirect.github.com/electron/electron/pull/34524)) - Fixed symbol generation on 32-bit Windows release builds. [#35096](https://redirect.github.com/electron/electron/pull/35096) (Also in [19](https://redirect.github.com/electron/electron/pull/35090), [20](https://redirect.github.com/electron/electron/pull/35091)) - Prevent brief display of "Ozone X11" in window title on Linux. [#34943](https://redirect.github.com/electron/electron/pull/34943) #### Other Changes - Backported fix for CVE-2022-2294. [#34882](https://redirect.github.com/electron/electron/pull/34882) - Security: backported fix for [`1287804`](https://redirect.github.com/electron/electron/commit/1287804). [#35102](https://redirect.github.com/electron/electron/pull/35102) - Security: backported fix for [`1333333`](https://redirect.github.com/electron/electron/commit/1333333). [#34689](https://redirect.github.com/electron/electron/pull/34689) - Security: backported fix for [`1335054`](https://redirect.github.com/electron/electron/commit/1335054). [#34687](https://redirect.github.com/electron/electron/pull/34687) - Security: backported fix for [`1335458`](https://redirect.github.com/electron/electron/commit/1335458). [#34685](https://redirect.github.com/electron/electron/pull/34685) - Security: backported fix for [`1336014`](https://redirect.github.com/electron/electron/commit/1336014). [#35004](https://redirect.github.com/electron/electron/pull/35004) - Security: backported fix for [`1339844`](https://redirect.github.com/electron/electron/commit/1339844). [#35002](https://redirect.github.com/electron/electron/pull/35002) - Security: backported fix for [`1340335`](https://redirect.github.com/electron/electron/commit/1340335). [#35000](https://redirect.github.com/electron/electron/pull/35000) - Security: backported fix for [`1340654`](https://redirect.github.com/electron/electron/commit/1340654). [#34998](https://redirect.github.com/electron/electron/pull/34998) - Security: backported fix for CVE-2022-2162. [#34714](https://redirect.github.com/electron/electron/pull/34714) - Security: backported fix for CVE-2022-2295. [#34881](https://redirect.github.com/electron/electron/pull/34881) ### [`v18.3.5`](https://redirect.github.com/electron/electron/releases/tag/v18.3.5): electron v18.3.5 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.4...v18.3.5) ### Release Notes for v18.3.5 #### Fixes - Fixed a performance problem in `crashReporter.start()` on macOS. [#34640](https://redirect.github.com/electron/electron/pull/34640) (Also in [17](https://redirect.github.com/electron/electron/pull/34637), [19](https://redirect.github.com/electron/electron/pull/34638), [20](https://redirect.github.com/electron/electron/pull/34639)) - Fixed an error where `setWindowOpenHandler()` would crash if the callback threw an error. [#34627](https://redirect.github.com/electron/electron/pull/34627) (Also in [19](https://redirect.github.com/electron/electron/pull/34546), [20](https://redirect.github.com/electron/electron/pull/34547)) - Fixed an issue where calling `w.setWindowButtonVisibility(true)` immediately after exiting fullscreen fails to show window buttons. [#34673](https://redirect.github.com/electron/electron/pull/34673) (Also in [19](https://redirect.github.com/electron/electron/pull/34674), [20](https://redirect.github.com/electron/electron/pull/34675)) - Fixed an issue where draggable regions were not recalculated when BrowserView bounds changed on Windows. [#34610](https://redirect.github.com/electron/electron/pull/34610) (Also in [19](https://redirect.github.com/electron/electron/pull/34611), [20](https://redirect.github.com/electron/electron/pull/34612)) #### Other Changes - Backported fix for CVE-2022-2010. [#34540](https://redirect.github.com/electron/electron/pull/34540) - Fixed an issue where BrowserViews didn't always visually update after call to `setBounds`. [#34641](https://redirect.github.com/electron/electron/pull/34641) (Also in [19](https://redirect.github.com/electron/electron/pull/34642), [20](https://redirect.github.com/electron/electron/pull/34643)) - On Linux, changed the libgdk-pixbuf dependency to be dynamically linked rather than statically linked. [#34601](https://redirect.github.com/electron/electron/pull/34601) (Also in [19](https://redirect.github.com/electron/electron/pull/34602), [20](https://redirect.github.com/electron/electron/pull/34635)) - Security: Backported fix for CVE-2022-1867. [#34631](https://redirect.github.com/electron/electron/pull/34631) - Security: backported fix for [`1228661`](https://redirect.github.com/electron/electron/commit/1228661). [#34569](https://redirect.github.com/electron/electron/pull/34569) - Security: backported fix for [`1306751`](https://redirect.github.com/electron/electron/commit/1306751). [#34560](https://redirect.github.com/electron/electron/pull/34560) - Security: backported fix for [`1314310`](https://redirect.github.com/electron/electron/commit/1314310). [#34558](https://redirect.github.com/electron/electron/pull/34558) - Security: backported fix for [`1316578`](https://redirect.github.com/electron/electron/commit/1316578). [#34568](https://redirect.github.com/electron/electron/pull/34568) - Security: backported fix for [`1317673`](https://redirect.github.com/electron/electron/commit/1317673). [#34566](https://redirect.github.com/electron/electron/pull/34566) - Security: backported fix for [`1318610`](https://redirect.github.com/electron/electron/commit/1318610). [#34556](https://redirect.github.com/electron/electron/pull/34556) - Security: backported fix for [`1321078`](https://redirect.github.com/electron/electron/commit/1321078). [#34692](https://redirect.github.com/electron/electron/pull/34692) ### [`v18.3.4`](https://redirect.github.com/electron/electron/releases/tag/v18.3.4): electron v18.3.4 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.3...v18.3.4) ### Release Notes for v18.3.4 #### Fixes - Fixed an issue where normal bounds would not be appropriately updated if the user minimized with the minimize button. [#34485](https://redirect.github.com/electron/electron/pull/34485) (Also in [19](https://redirect.github.com/electron/electron/pull/34484), [20](https://redirect.github.com/electron/electron/pull/34486)) - Fixed an issue where passing `{ name: 'All Files', extensions: ['*'] }` in the `filters` param of open or save dialogs on Linux would disallow choosing files without an extension. [#34518](https://redirect.github.com/electron/electron/pull/34518) (Also in [19](https://redirect.github.com/electron/electron/pull/34517), [20](https://redirect.github.com/electron/electron/pull/34516)) #### Other Changes - Backported fix for CVE-2022-2011. [#34537](https://redirect.github.com/electron/electron/pull/34537) - Security: backported fix for [`1227995`](https://redirect.github.com/electron/electron/commit/1227995). [#34562](https://redirect.github.com/electron/electron/pull/34562) - Security: backported fix for [`1320024`](https://redirect.github.com/electron/electron/commit/1320024). [#34554](https://redirect.github.com/electron/electron/pull/34554) - Security: backported fix for [`1324864`](https://redirect.github.com/electron/electron/commit/1324864), [`1218100`](https://redirect.github.com/electron/electron/commit/1218100). [#34534](https://redirect.github.com/electron/electron/pull/34534) ### [`v18.3.3`](https://redirect.github.com/electron/electron/releases/tag/v18.3.3): electron v18.3.3 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.2...v18.3.3) ### Release Notes for v18.3.3 #### Fixes - Fixed a crash when loading a same-origin URL after a render process crash. [#34430](https://redirect.github.com/electron/electron/pull/34430) (Also in [19](https://redirect.github.com/electron/electron/pull/34431), [20](https://redirect.github.com/electron/electron/pull/34432)) - Fixed potential crash in WebFrameMain when performing a cross-origin navigation. [#34415](https://redirect.github.com/electron/electron/pull/34415) (Also in [19](https://redirect.github.com/electron/electron/pull/34416), [20](https://redirect.github.com/electron/electron/pull/34417)) ### [`v18.3.2`](https://redirect.github.com/electron/electron/releases/tag/v18.3.2): electron v18.3.2 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.1...v18.3.2) ### Release Notes for v18.3.2 #### Fixes - Fixed an issue where pressing escape would not un-fullscreen on Windows or Linux in some circumstances. [#34361](https://redirect.github.com/electron/electron/pull/34361) (Also in [19](https://redirect.github.com/electron/electron/pull/34359)) - Fixed an issue where zombie windows can be created if `window.close()` is called during a fullscreen transition. [#34392](https://redirect.github.com/electron/electron/pull/34392) (Also in [17](https://redirect.github.com/electron/electron/pull/34390), [19](https://redirect.github.com/electron/electron/pull/34391), [20](https://redirect.github.com/electron/electron/pull/34393)) #### Other Changes - Enable 16k page sizes support for linux arm64. [#34385](https://redirect.github.com/electron/electron/pull/34385) ### [`v18.3.1`](https://redirect.github.com/electron/electron/releases/tag/v18.3.1): electron v18.3.1 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.3.0...v18.3.1) ### Release Notes for v18.3.1 #### Fixes - Fixed crash when calling navigator.serial.getPorts(). [#34327](https://redirect.github.com/electron/electron/pull/34327) (Also in [17](https://redirect.github.com/electron/electron/pull/34328), [19](https://redirect.github.com/electron/electron/pull/34323)) #### Other Changes - Added a TRACE call named `crash_reporter::Start` under the `electron` category for `crash_reporter::Start()`. [#34325](https://redirect.github.com/electron/electron/pull/34325) (Also in [17](https://redirect.github.com/electron/electron/pull/34324), [19](https://redirect.github.com/electron/electron/pull/34326)) ### [`v18.3.0`](https://redirect.github.com/electron/electron/releases/tag/v18.3.0): electron v18.3.0 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.2.4...v18.3.0) ### Release Notes for v18.3.0 #### Fixes - Fixed a crash when calling `loadExtension` on an extension directory that's missing a manifest file. [#34304](https://redirect.github.com/electron/electron/pull/34304) (Also in [16](https://redirect.github.com/electron/electron/pull/34192), [17](https://redirect.github.com/electron/electron/pull/34193), [19](https://redirect.github.com/electron/electron/pull/34303)) - Fixed an issue where bounds changes were incorrectly delayed in the case where a window was moved or resized and `event.preventDefault` was called in either `will-resize` or `will-move` on Windows. [#34284](https://redirect.github.com/electron/electron/pull/34284) (Also in [16](https://redirect.github.com/electron/electron/pull/34282), [17](https://redirect.github.com/electron/electron/pull/34283), [19](https://redirect.github.com/electron/electron/pull/34285)) - Fixed an issue where running second instances of the same application would cause a deadlock on Windows. [#34295](https://redirect.github.com/electron/electron/pull/34295) (Also in [19](https://redirect.github.com/electron/electron/pull/34312)) - Fixed potential crash with WebFrameMain when navigating between cross-origin websites. [#34293](https://redirect.github.com/electron/electron/pull/34293) (Also in [19](https://redirect.github.com/electron/electron/pull/34294)) - Fixed service worker registration with custom protocols. [#34291](https://redirect.github.com/electron/electron/pull/34291) (Also in [19](https://redirect.github.com/electron/electron/pull/34315)) ### [`v18.2.4`](https://redirect.github.com/electron/electron/releases/tag/v18.2.4): electron v18.2.4 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.2.3...v18.2.4) ### Release Notes for v18.2.4 #### Fixes - Fixed an issue where tray items wouldn't highlight in some scenarios on macOS. [#34207](https://redirect.github.com/electron/electron/pull/34207) (Also in [16](https://redirect.github.com/electron/electron/pull/34205), [17](https://redirect.github.com/electron/electron/pull/34206), [19](https://redirect.github.com/electron/electron/pull/34208)) - Fixed crash on startup on old Ubuntu versions. [#34155](https://redirect.github.com/electron/electron/pull/34155) - SIGUSR1 is no longer handled when the `node_cli_inspect` fuse is disabled. [#34180](https://redirect.github.com/electron/electron/pull/34180) (Also in [16](https://redirect.github.com/electron/electron/pull/34182), [17](https://redirect.github.com/electron/electron/pull/34181)) #### Other Changes - Backported fix for chromium:1320614. [#34202](https://redirect.github.com/electron/electron/pull/34202) - Updated Chromium to 100.0.4896.160. [#34171](https://redirect.github.com/electron/electron/pull/34171) ### [`v18.2.3`](https://redirect.github.com/electron/electron/releases/tag/v18.2.3): electron v18.2.3 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.2.2...v18.2.3) ### Release Notes for v18.2.3 #### Fixes - Fixed a crash in `safeStorage` on Linux. [#34148](https://redirect.github.com/electron/electron/pull/34148) (Also in [19](https://redirect.github.com/electron/electron/pull/34147)) - Fixed building node modules with Visual Studio 2017. [#34110](https://redirect.github.com/electron/electron/pull/34110) (Also in [19](https://redirect.github.com/electron/electron/pull/34164)) ### [`v18.2.2`](https://redirect.github.com/electron/electron/releases/tag/v18.2.2): electron v18.2.2 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.2.0...v18.2.2) ### Release Notes for v18.2.2 #### Fixes - Fixed a crash on Windows when opening apps in multiple, separate user sessions. [#34161](https://redirect.github.com/electron/electron/pull/34161) (Also in [19](https://redirect.github.com/electron/electron/pull/34160)) - Fixed an OSR crash happening when input select items were rendered. [#34092](https://redirect.github.com/electron/electron/pull/34092) (Also in [17](https://redirect.github.com/electron/electron/pull/34091), [19](https://redirect.github.com/electron/electron/pull/34093)) - Fixed an issue where calling `SetLoginItemSettings()` could potentially cause network volumes to be incorrectly mounted. [#34106](https://redirect.github.com/electron/electron/pull/34106) (Also in [17](https://redirect.github.com/electron/electron/pull/34107), [19](https://redirect.github.com/electron/electron/pull/34108)) - Fixed crash on startup due to missing gtk symbol on older distros. [#34150](https://redirect.github.com/electron/electron/pull/34150) (Also in [19](https://redirect.github.com/electron/electron/pull/34151)) #### Other Changes - Backported fix for CVE-2022-1485. [#34052](https://redirect.github.com/electron/electron/pull/34052) - Backported fix for CVE-2022-1497. [#34072](https://redirect.github.com/electron/electron/pull/34072) ### [`v18.2.0`](https://redirect.github.com/electron/electron/releases/tag/v18.2.0): electron v18.2.0 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.1.0...v18.2.0) ### Release Notes for v18.2.0 #### Features - Fixed an issue where the PDF Viewer would fail if a user attempted to reload. [#33711](https://redirect.github.com/electron/electron/pull/33711) (Also in [19](https://redirect.github.com/electron/electron/pull/33712)) #### Fixes - Fixed an issue with the `app.requestSingleInstanceLock()` API where it would sometimes hang. [#33778](https://redirect.github.com/electron/electron/pull/33778) #### Other Changes - Fixed child_process.spawn ENOENT error with cwd option. [#33871](https://redirect.github.com/electron/electron/pull/33871) (Also in [16](https://redirect.github.com/electron/electron/pull/33869), [17](https://redirect.github.com/electron/electron/pull/33870), [19](https://redirect.github.com/electron/electron/pull/33872)) - Updated Chromium to 100.0.4896.143. [#33948](https://redirect.github.com/electron/electron/pull/33948) ### [`v18.1.0`](https://redirect.github.com/electron/electron/releases/tag/v18.1.0): electron v18.1.0 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.4...v18.1.0) ### Release Notes for v18.1.0 #### Features - Enabled `systemPreferences.subscribe{Local|Workspace}Notification` to take a `null` value for the `event` parameter. [#33771](https://redirect.github.com/electron/electron/pull/33771) #### Fixes - Fixed crash when img without `alt` is shown with accessibility features enabled. [#33843](https://redirect.github.com/electron/electron/pull/33843) (Also in [19](https://redirect.github.com/electron/electron/pull/33841)) - Fixed crash when opening gtk file dialogs due to mismatched versions. [#33812](https://redirect.github.com/electron/electron/pull/33812) (Also in [19](https://redirect.github.com/electron/electron/pull/33813)) #### Other Changes - Updated Chromium to 100.0.4896.127. [#33730](https://redirect.github.com/electron/electron/pull/33730) ### [`v18.0.4`](https://redirect.github.com/electron/electron/releases/tag/v18.0.4): electron v18.0.4 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.3...v18.0.4) ### Release Notes for v18.0.4 #### Fixes - Apply senderFrame details to ipcMain port event. [#33782](https://redirect.github.com/electron/electron/pull/33782) (Also in [16](https://redirect.github.com/electron/electron/pull/33780), [17](https://redirect.github.com/electron/electron/pull/33781)) - Fixed an issue where `Escape` keyboard events would not be properly propagated to the parent window after entering fullscreen and then exiting it again on Windows. [#33787](https://redirect.github.com/electron/electron/pull/33787) - Fixed the built-in PDF renderer. [#33664](https://redirect.github.com/electron/electron/pull/33664) - `shell.openExternal()` now reports more detailed errors on Windows. [#33659](https://redirect.github.com/electron/electron/pull/33659) (Also in [15](https://redirect.github.com/electron/electron/pull/33656), [16](https://redirect.github.com/electron/electron/pull/33657), [17](https://redirect.github.com/electron/electron/pull/33658), [19](https://redirect.github.com/electron/electron/pull/33660)) - `shell.openExternal()` now reports more detailed errors on Windows. [#33705](https://redirect.github.com/electron/electron/pull/33705) (Also in [15](https://redirect.github.com/electron/electron/pull/33656), [16](https://redirect.github.com/electron/electron/pull/33657), [17](https://redirect.github.com/electron/electron/pull/33658), [19](https://redirect.github.com/electron/electron/pull/33660)) #### Other Changes - Backported fix for chromium:1297731, b/218211225. [#33708](https://redirect.github.com/electron/electron/pull/33708) ### [`v18.0.3`](https://redirect.github.com/electron/electron/releases/tag/v18.0.3): electron v18.0.3 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.2...v18.0.3) ### Release Notes for v18.0.3 #### Other Changes - Updated Chromium to 100.0.4896.75. [#33619](https://redirect.github.com/electron/electron/pull/33619) ### [`v18.0.2`](https://redirect.github.com/electron/electron/releases/tag/v18.0.2): electron v18.0.2 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.1...v18.0.2) ### Release Notes for v18.0.2 #### Fixes - Fixed a potential crash in `Browser.getFocusedWindow()` when child windows are closed. [#33538](https://redirect.github.com/electron/electron/pull/33538) (Also in [17](https://redirect.github.com/electron/electron/pull/33539)) - Fixed an issue where the the window bounds would incorrectly change if `BrowserWindow.unmaximize` was called on a window whose user bounds were maximized. [#33550](https://redirect.github.com/electron/electron/pull/33550) (Also in [16](https://redirect.github.com/electron/electron/pull/33552), [17](https://redirect.github.com/electron/electron/pull/33551)) - Fixed behavior of BrowserWindow.maximize on macOS for not shown windows. [#33537](https://redirect.github.com/electron/electron/pull/33537) (Also in [15](https://redirect.github.com/electron/electron/pull/33523), [16](https://redirect.github.com/electron/electron/pull/33535)) - Fixed incorrect return value of `app.requestSingleInstanceLock()` when setting non-existent user data folder. [#33592](https://redirect.github.com/electron/electron/pull/33592) (Also in [16](https://redirect.github.com/electron/electron/pull/33590), [17](https://redirect.github.com/electron/electron/pull/33591), [19](https://redirect.github.com/electron/electron/pull/33593)) - Fixed issues with frameless window animations and styling. [#33610](https://redirect.github.com/electron/electron/pull/33610) (Also in [19](https://redirect.github.com/electron/electron/pull/33609)) - Fixed potential crash while generating accessibility trees for certain images. [#33616](https://redirect.github.com/electron/electron/pull/33616) (Also in [19](https://redirect.github.com/electron/electron/pull/33617)) ### [`v18.0.1`](https://redirect.github.com/electron/electron/releases/tag/v18.0.1): electron v18.0.1 [Compare Source](https://redirect.github.com/electron/electron/compare/v18.0.0...v18.0.1) ### Release Notes for v18.0.1 #### Fixes - Fixed an issue where Pointer Lock behavior could not be properly exited. [#32828](https://redirect.github.com/electron/electron/pull/32828) - Fixed crash when WindowButtonsProxy references cleared NSWindow. [#33490](https://redirect.github.com/electron/electron/pull/33490) (Also in [15](https://redirect.github.com/electron/electron/pull/33487), [16](https://redirect.github.com/electron/electron/pull/33489), [17](https://redirect.github.com/electron/electron/pull/33488)) - Fixed crash when running under Wayland caused by calling X11 functions. [#33498](https://redirect.github.com/electron/electron/pull/33498) (Also in [17](https://redirect.github.com/electron/electron/pull/33499)) #### Other Changes - Updated Chromium to 100.0.4896.60. [#33501](https://redirect.github.com/electron/electron/pull/33501) ### [`v18.0.0`](https://redirect.github.com/electron/electron/releases/tag/v18.0.0): electron v18.0.0 [Compare Source](https://redirect.github.com/electron/electron/compare/v17.4.11...v18.0.0) ### Release Notes for v18.0.0 #### Stack Upgrades - Chromium 100.0.4896.56 - [New in 100](https://developer.chrome.com/blog/new-in-chrome-100/) - [New in 99](https://developer.chrome.com/blog/new-in-chrome-99/) - Node v16.13.2 - [v16.13.2 release notes](https://nodejs.org/en/blog/release/v16.13.2/) - [v16.13.1 release notes](https://nodejs.org/en/blog/release/v16.13.1/) - V8 v10.0 - [V8 10.0 blog post](https://v8.dev/blog/v8-release-100) - [V8 9.9 blog post](https://v8.dev/blog/v8-release-99) #### Breaking Changes - Removed the old `BrowserWindowProxy`-based implementation of `window.open`. This also removes the `nativeWindowOpen` option from `webPreferences`. [#29405](https://redirect.github.com/electron/electron/pull/29405) #### Features ##### Additions - Added 'focus' and 'blur' events to `WebContents`. [#25873](https://redirect.github.com/electron/electron/pull/25873) - Added `BrowserWindow` method to change the button color, symbol color, and height of a window with WCO enabled. [#33440](https://redirect.github.com/electron/electron/pull/33440) - Added `nativeTheme.inForcedColorsMode` API to allow detecting forced color mode. [#33357](https://redirect.github.com/electron/electron/pull/33357) (Also in [15](https://redirect.github.com/electron/electron/pull/33360), [16](https://redirect.github.com/electron/electron/pull/33359), [17](https://redirect.github.com/electron/electron/pull/33358)) - Added Substitutions menu roles on macOS: `showSubstitutions`, `toggleSmartQuotes`, `toggleSmartDashes`, `toggleTextReplacement`. [#32024](https://redirect.github.com/electron/electron/pull/32024) - Added `first-instance-ack` event to the `app.requestSingleInstanceLock()` flow, so that users can pass some data back from the second instance to the first instance. [#31460](https://redirect.github.com/electron/electron/pull/31460) - Added `height` option for Windows Control Overlay. [#31222](https://redirect.github.com/electron/electron/pull/31222) (Also in [15](https://redirect.github.com/electron/electron/pull/33064), [16](https://redirect.github.com/electron/electron/pull/33061), [17](https://redirect.github.com/electron/electron/pull/32939)) - Added `ses.setCodeCachePath()` API for setting code cache directory. [#33286](https://redirect.github.com/electron/electron/pull/33286) (Also in [17](https://redirect.github.com/electron/electron/pull/33285)) - Added rawHeaders to IncomingMessage. [#31853](https://redirect.github.com/electron/electron/pull/31853) - Added support for more color formats in `setBackgroundColor`. [#33364](https://redirect.github.com/electron/electron/pull/33364) - Added warning that preload scripts will be sandboxed by default beginning in Electron 20. [#33203](https://redirect.github.com/electron/electron/pull/33203) - Support obsolete blowfish ciphers bf-{cbc,cfb,ecb} through the Node.js crypto API. [#32356](https://redirect.github.com/electron/electron/pull/32356) (Also in [17](https://redirect.github.com/electron/electron/pull/32439)) #### Fixes - Fixed a V8 crash that could happen randomly in non-sandboxed renderer processes. [#33260](https://redirect.github.com/electron/electron/pull/33260) - Fixed a bug where `BrowserWindow.fromWebContents` would return `undefined` during the `browser-window-created` event. [#33316](https://redirect.github.com/electron/electron/pull/33316) - Fixed an issue where First Party Sets were not correctly loaded on app launch. [#33345](https://redirect.github.com/electron/electron/pull/33345) - Fixed an issue where new bounds set via `setBounds` was not correctly applied if the user was moving or resizing the window concurrently on Windows. [#33375](https://redirect.github.com/electron/electron/pull/33375) - Fixed an issue where pages would not properly print on macOS due to a rendering failure. [#32813](https://redirect.github.com/electron/electron/pull/32813) - Fix: initialize asar support in worker threads. [#33396](https://redirect.github.com/electron/electron/pull/33396) - Fixed the IncrementCapturerCount regression introduced by 13.0.0-beta.21. [#33371](https://redirect.github.com/electron/electron/pull/33371) ##### Also in earlier versions.... - Allowed specifying x64 arch on Mac Rosetta via `npm_config_arch`. [#32266](https://redirect.github.com/electron/electron/pull/32266) (Also in [15](https://redirect.github.com/electron/electron/pull/32380), [16](https://redirect.github.com/electron/electron/pull/32381), [17](https://redirect.github.com/electron/electron/pull/32382)) - Assertion failure happening in the `showSaveDialogSync()` code path has been fixed. (Fixes [#31997](https://redirect.github.com/electron/electron/issues/31997)). [#32049](https://redirect.github.com/electron/electron/pull/32049) (Also in [14](https://redirect.github.com/electron/electron/pull/32080), [15](https://redirect.github.com/electron/electron/pull/32081), [16](https://redirect.github.com/electron/electron/pull/32082), [17](https://redirect.github.com/electron/electron/pull/32083)) - Bug fixed for registering protocol in windows which used to set invalid command if the execution path included space. [#32220](https://redirect.github.com/electron/electron/pull/32220) (Also in [14](https://redirect.github.com/electron/electron/pull/32328), [15](https://redirect.github.com/electron/electron/pull/32330), [16](https://redirect.github.com/electron/electron/pull/32331), [17](https://redirect.github.com/electron/electron/pull/32329)) - Fire 'show' event when a BrowserWindow is shown via maximize(). [#33214](https://redirect.github.com/electron/electron/pull/33214) (Also in [16](https://redirect.github.com/electron/electron/pull/33212), [17](https://redirect.github.com/electron/electron/pull/33213)) - Fixed BrowserWindow.showInactive restoring a maximized window to non-maximized on Windows. [#33022](https://redirect.github.com/electron/electron/pull/33022) (Also in [16](https://redirect.github.com/electron/electron/pull/33020), [17](https://redirect.github.com/electron/electron/pull/33021)) - Fixed VoiceOver not reading typed words correctly in MAS builds. [#32543](https://redirect.github.com/electron/electron/pull/32543) (Also in [17](https://redirect.github.com/electron/electron/pull/32567)) - Fixed `maxWidth` not working in BrowserWindow constructor options. [#32628](https://redirect.github.com/electron/electron/pull/32628) (Also in [17](https://redirect.github.com/electron/electron/pull/32637)) - Fixed `window.open` not overriding parent's `webPreferences`. [#32057](https://redirect.github.com/electron/electron/pull/32057) (Also in [15](https://redirect.github.com/electron/electron/pull/32109), [16](https://redirect.github.com/electron/electron/pull/32108), [17](https://redirect.github.com/electron/electron/pull/32107)) - Fixed a crash caused by app.getLocaleCountryCode(). [#32256](https://redirect.github.com/electron/electron/pull/32256) (Also in [15](https://redirect.github.com/electron/electron/pull/32332), [16](https://redirect.github.com/electron/electron/pull/32321), [17](https://redirect.github.com/electron/electron/pull/32322)) - Fixed a crash that occurred when a user attempted to print a document either with `window.print()`, the print button in the PDF viewer, or with `BrowserWindow.webContents()` and clicked cancel in the resulting print dialog. [#32632](https://redirect.github.com/electron/electron/pull/32632) (Also in [17](https://redirect.github.com/electron/electron/pull/33015)) - Fixed a crash that occurred when user attempted to download an edited PDF. [#32512](https://redirect.github.com/electron/electron/pull/32512) (Also in [15](https://redirect.github.com/electron/electron/pull/32537), [16](https://redirect.github.com/electron/electron/pull/32538), [17](https://redirect.github.com/electron/electron/pull/32539)) - Fixed a crash when starting VoiceOver on macOS. [#32564](https://redirect.github.com/electron/electron/pull/32564) (Also in [17](https://redirect.github.com/electron/electron/pull/32578)) - Fixed a network service crash that could occur when using setCertificateVerifyProc. [#33253](https://redirect.github.com/electron/electron/pull/33253) (Also in [17](https://redirect.github.com/electron/electron/pull/33254)) - Fixed a potential crash in v8 by using allocation type: kOld in v8 ScriptOrModule legacy lifetime. [#32339](https://redirect.github.com/electron/electron/pull/32339) (Also in [17](https://redirect.github.com/electron/electron/pull/32355)) - Fixed a potential crash when importing media files or custom file types. [#31881](https://redirect.github.com/electron/electron/pull/31881) (Also in [16](https://redirect.github.com/electron/electron/pull/31883), [17](https://redirect.github.com/electron/electron/pull/31884)) - Fixed a potential issue when setting backgroundColor on `BrowserView`s. [#31863](https://redirect.github.com/electron/electron/pull/31863) (Also in [14](https://redirect.github.com/electron/electron/pull/31945), [15](https://redirect.github.com/electron/electron/pull/31946), [16](https://redirect.github.com/electron/electron/pull/31947), [17](https://redirect.github.com/electron/electron/pull/31948)) - Fixed an issue that the `alert()` dialog title is corrupted. [#32434](https://redirect.github.com/electron/electron/pull/32434) (Also in [14](https://redirect.github.com/electron/electron/pull/32467), [15](https://redirect.github.com/electron/electron/pull/32468), [16](https://redirect.github.com/electron/electron/pull/32470), [17](https://redirect.github.com/electron/electron/pull/32469)) - Fixed an issue where BrowserView layout bounds where limited to it's visible bounds. [#33399](https://redirect.github.com/electron/electron/pull/33399) (Also in [17](https://redirect.github.com/electron/electron/pull/33398)) - Fixed an issue where Chrom DevTools settings didn't persist between loads. [#33206](https://redirect.github.com/electron/electron/pull/33206) (Also in [17](https://redirect.github.com/electron/electron/pull/33273)) - Fixed an issue where `alternateImage`s did not work properly on macOS. [#33107](https://redirect.github.com/electron/electron/pull/33107) (Also in [15](https://redirect.github.com/electron/electron/pull/33104), [16](https://redirect.github.com/electron/electron/pull/33106), [17](https://redirect.github.com/electron/electron/pull/33105)) - Fixed an issue where `ipcRenderer.postMessage` would throw errors when the `transfer` argument was not passed. [#32433](https://redirect.github.com/electron/electron/pull/32433) (Also in [14](https://redirect.github.com/electron/electron/pull/32457), [15](https://redirect.github.com/electron/electron/pull/32458), [16](https://redirect.github.com/electron/electron/pull/32460), [17](https://redirect.github.com/electron/electron/pull/32459)) - Fixed an issue where `webContents.openDevTools({ mode })` did not work for certain dock positions. [#32946](https://redirect.github.com/electron/electron/pull/32946) (Also in [17](https://redirect.github.com/electron/electron/pull/32945)) - Fixed an issue where `webContents.savePage` failed when passing a relative path instead of an absolute one. [#33019](https://redirect.github.com/electron/electron/pull/33019) (Also in [15](https://redirect.github.com/electron/electron/pull/33018), [16](https://redirect.github.com/electron/electron/pull/33017), [17](https://redirect.github.com/electron/electron/pull/33016)) - Fixed an issue where adding/removing display changes the BrowserWindow size. [#33250](https://redirect.github.com/electron/electron/pull/33250) (Also in [14](https://redirect.github.com/electron/electron/pull/33247), [15](https://redirect.github.com/electron/electron/pull/33248), [16](https://redirect.github.com/electron/electron/pull/33249), [17](https://redirect.github.com/electron/electron/pull/33251)) - Fixed an issue where calling screen capture on macOS does not properly release underlying OS capture mechanisms. [#32435](https://redirect.github.com/electron/electron/pull/32435) (Also in [17](https://redirect.github.com/electron/electron/pull/32464)) - Fixed an issue where clicking "Open in Containing Folder" in the Sources tab in Devtools caused a crash. [#33197](https://redirect.github.com/electron/electron/pull/33197) (Also in [16](https://redirect.github.com/electron/electron/pull/33313), [17](https://redirect.github.com/electron/electron/pull/33196)) - Fixed an issue where frameless vibrant windows would not show transparency correctly on macOS. [#32593](https://redirect.github.com/electron/electron/pull/32593) (Also in [16](https://redirect.github.com/electron/electron/pull/32648), [17](https://redirect.github.com/electron/electron/pull/32649)) - Fixed an issue where frameless windows on Windows would incorrectly show a small frame during the loading process. [#32714](https://redirect.github.com/electron/electron/pull/32714) (Also in [14](https://redirect.github.com/electron/electron/pull/32709), [15](https://redirect.github.com/electron/electron/pull/32708), [16](https://redirect.github.com/electron/electron/pull/32710), [17](https://redirect.github.com/electron/electron/pull/32707)) - Fixed an issue where if `backgroundColor` was set to `undefined`, vibrancy failed to work and the `backgroundColor` would show up as white. [#32517](https://redirect.github.com/electron/electron/pull/32517) (Also in [16](https://redirect.github.com/electron/electron/pull/32654), [17](https://redirect.github.com/electron/electron/pull/32653)) - Fixed an issue where setting window `maxHeight` or `maxWidth` made it so the width and height could no longer be resized. [#33119](https://redirect.github.com/electron/electron/pull/33119) (Also in [17](https://redirect.github.com/electron/electron/pull/33118)) - Fixed an issue where the 'maximize' and 'unmaximize' events didn't fire properly on linux. [#32441](https://redirect.github.com/electron/electron/pull/32441) (Also in [14](https://redirect.github.com/electron/electron/pull/32499), [15](https://redirect.github.com/electron/electron/pull/32498), [16](https://redirect.github.com/electron/electron/pull/32497), [17](https://redirect.github.com/electron/electron/pull/32492)) - Fixed an issue where the Tray could get garbage collected incorrectly under some circumstances. [#33074](https://redirect.github.com/electron/electron/pull/33074) (Also in [15](https://redirect.github.com/electron/electron/pull/33077), [16](https://redirect.github.com/electron/electron/pull/33075), [17](https://redirect.github.com/electron/electron/pull/33076)) - Fixed an issue with transparent windows failing to fire the `maximize` and `unmaximize` events on Windows. [#32643](https://redirect.github.com/electron/electron/pull/32643) (Also in [17](https://redirect.github.com/electron/electron/pull/32690)) - Fixed an occasional crash on Mac when spawning a child process. [#33117](https://redirect.github.com/electron/electron/pull/33117) (Also in [17](https://redirect.github.com/electron/electron/pull/33116)) - Fixed aspect ratio resize for frameless windows on macOS. [#32287](https://redirect.github.com/electron/electron/pull/32287) (Also in [15](https://redirect.github.com/electron/electron/pull/32445), [16](https://redirect.github.com/electron/electron/pull/32446), [17](https://redirect.github.com/electron/electron/pull/32447)) - Fixed broken event loop in renderer process when process reuse is enabled on windows platform. [#33361](https://redirect.github.com/electron/electron/pull/33361) (Also in [16](https://redirect.github.com/electron/electron/pull/33363), [17](https://redirect.github.com/electron/electron/pull/33362)) - Fixed broken transparency option in offscreen window rendering. [#33053](https://redirect.github.com/electron/electron/pull/33053) (Also in [16](https://redirect.github.com/electron/electron/pull/33051), [17](https://redi