I would like to see all "desktop" applications that use Electron listed and how big of a Chromium drift is there, especially how many applications are shipping runtimes with unfixed vulnerabilities.
We did a study of this a few years ago[1] and the code for the instrumentation is available on github[2], the data is dated but you can see a cross section of popular apps and how far behind they were lagging over a 3 year period on page 11 of the pdf. Re: child comment, our main concern in this research was patched vulnerabilities persisting in electron apps and how damaging that could be. Details in the paper :)
I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.
Yep. JavaScript VM breakout, Sandbox breakout and spectre/meltdown side channel leaks are all tracked as vulnerabilities towards Electron while ordinary apps don't even have such security features.
I guess an elephant-sized exception to this are the popular code editors that support extensions? Or perhaps such editors’ extensions typically aren’t constrained at all anyway.
1. https://www.usenix.org/system/files/usenixsecurity24-ali.pdf 2. https://github.com/masood/inspectron