[Security Issue]"contextIsolation" is disabled

[Shashank-In]

Description
Since contextIsolation is not mentioned hence it will be disabled by default. This means the Electron APIs and the preload script run in the same context, hence an XSS vulnerability could allow an attacker to re-define app functionality via prototype tampering.

Proof:

1. Go to https://github.com/wavesplatform/WavesGUI/blob/dev/electron/main.ts#L386-L389

webPreferences: {
preload: join(__dirname, 'preload.js'),
nodeIntegration: false
}

Since "contextIsolation" is not mentioned. This will be by default set to false.

Suggested Fix:
It should have contextIsolation: true

Ref:
https://www.electronjs.org/docs/tutorial/context-isolation

Note: I saw the bug bounty program of waves at https://forum.wavesplatform.com/t/bug-bounty-program/1127
However the email bug-bounty@wavesplatform.com. is dead.

[Shashank-In]

Any updates?

[Shashank-In]

Hi @tsigel Any updates?

[weidisu]

You can try WavesLiteClient here

[Shashank-In]

Sorry @weidisu
Did not understand why is it related to this bug report?