Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
When a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions.
Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected.
Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution.
Workarounds
Deny window.open() in renderers that load untrusted content by returning { action: 'deny' } from setWindowOpenHandler. Avoid granting child windows more permissive webPreferences than their opener.
Fixed Versions
42.0.0-alpha.541.1.040.8.539.8.5
For more information
If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Electron's window.open() handler fails to properly scope named-window lookups to the opener's browsing context group, allowing a renderer to hijack an existing child window opened by a different renderer and potentially inherit elevated webPreferences including privileged preload scripts. This affects Electron versions before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, and poses a remote code execution risk only in applications that open multiple top-level windows with differing trust levels and grant child windows elevated permissions via setWindowOpenHandler. No public exploit identified at time of analysis.
Technical ContextAI
Electron is a framework for building cross-platform desktop applications using web technologies (HTML, CSS, JavaScript). The vulnerability exists in Electron's renderer process implementation of the window.open() API. The root cause (CWE-668: Operation on Resource in the Wrong Phase of Lifetime) stems from improper scoping of the named-window lookup mechanism. When a renderer invokes window.open() with a target name, Electron should restrict the lookup to windows within that renderer's browsing context group (conceptually similar to browser same-origin policy). Instead, the renderer-side lookup was global across all windows, enabling cross-renderer window hijacking. When a second, untrusted renderer navigates an existing child window created by a trusted renderer, the child inherits the webPreferences (including preload scripts, nodeIntegration settings, sandbox configuration) of its original opener. The affected product is npm package 'electron' across multiple major/minor versions.
RemediationAI
Immediately upgrade to patched versions: Electron 39.8.5, 40.8.5, 41.1.0, or 42.0.0-alpha.5 or later, selecting the version that matches your current major/minor branch. For applications still on older major versions without patches, apply the following workarounds: (1) Return { action: 'deny' } from setWindowOpenHandler in any renderer that loads untrusted content to completely block window.open() calls; (2) Avoid granting child windows more permissive webPreferences than their opener window; (3) Do not grant nodeIntegration:true or sandbox:false to child windows unless absolutely necessary and the content is fully trusted. See https://github.com/electron/electron/releases/tag/v39.8.5, https://github.com/electron/electron/releases/tag/v40.8.5, https://github.com/electron/electron/releases/tag/v41.1.0, and https://github.com/electron/electron/releases/tag/v42.0.0-alpha.5 for patch details and https://github.com/advisories/GHSA-f3pv-wv63-48x8 for full advisory.
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19949
GHSA-f3pv-wv63-48x8