Closed arch-btw closed 2 years ago
Seems like a pretty severe exploit.
For a browser yes, very severe stuff.
Is ElectronMail affected?
@electron of course comes with @chromium built-in but ElectronMail is not used as a regular browser. Meaning the app is not loading a random/potentially malicious html/js stuff from the internet but only static content predefined by @ProtonMail in https://github.com/ProtonMail/WebClients. So I think the current app release is fine unless @ProtonMail injected some malicious stuff into https://github.com/ProtonMail/WebClients which I don't believe they would be doing.
But still I'm also ok to publish a new version with updated @electron fairly quickly since I keep the wip updated with the recent https://github.com/ProtonMail/WebClients changes and dependencies updates.
v4.13.6 is built on https://github.com/electron/electron/releases/tag/v15.5.0.
Perfect! Thank you for the update and the information, it's very helpful!
Hi @vladimiry ,
Is ElectronMail affected? Seems like a pretty severe exploit.
Official announcement: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
More info: https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html
Electron 15 PR: https://github.com/electron/electron/pull/33473
Electron 16 PR: https://github.com/electron/electron/pull/33472