Disabling Context Isolation in Electron
Description
Disabling context isolation can introduce Prototype Pollution vulnerabilities. Context isolation is a security feature in Electron that prevents JavaScript code from accessing Node.js internals. Disabling it can allow an attacker to modify the prototype of objects, potentially leading to security vulnerabilities.
Examples
Insecure Code
javascript
new BrowserWindow({webPreferences: {contextIsolation: false}})Secure Code
javascript
new BrowserWindow({webPreferences: {contextIsolation: true}})Remediation
Enable context isolation by setting `contextIsolation` to `true` in the `webPreferences` object when creating a new `BrowserWindow`.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0369 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-1321 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | Prototype Pollution, Context Isolation |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |