[amelius]

Is Electron at risk too?

[neoneye2]

Visual Studio Code is built with Electron. VSCode has lots of extensions available. Can a VSCode extension exploit this 0day?

[scambier]

If your Electron app executes third party, remote code. But if it does, you should definitely not use it.

[gruez]

>If your Electron app executes third party, remote code.

There's a high chance that it does because of embedded content/ads/iframes/in-app browsers.

[kentonv]

Are in-app browsers in Electron even secure in the first place? Does it use Chrome-style sandboxing with multiple processes, etc.? Do bugs in the Electron engine get patched in a timely fashion?

Genuinely asking here. I've never written an Electron app personally so I don't know how this stuff is done exactly, but the idea of in-app browsers in Electron apps sounds terrifying to me, security-wise.

[mwcampbell]

Electron has been moving toward security by default in renderer processes, but Chromium sandboxing isn't yet enabled by default in these processes. More here: https://www.electronjs.org/docs/latest/tutorial/sandbox

[mr_toad]

Which electron apps have embedded ads running third party JavaScript? That’s a huge security risk.