terpinedream [1] filed a deletion request for vitamin-browser [2]: CRITICAL ISSUES
1. Electron Sandbox Disabled (Critical) The application conditionally launches Electron with --no-sandbox on Linux when unprivileged user namespaces are unavailable. Impact: - Removes Electron’s primary security boundary - Renderer compromise results in full system compromise - Breaks Electron’s security model Fix: - Never disable sandboxing - Handle restricted environments without removing security boundaries 2. Full IPC Exposure to Web Content (Critical) The preload script exposes unrestricted ipcRenderer to window.chrome, allowing any website to call any IPC handler. Impact: - Arbitrary IPC invocation from web content - Access to file operations, navigation, cookies, and data deletion - Enables RCE via bookmarklet and executeJavaScript handlers - Complete browser takeover from a malicious site Fix: - Remove direct IPC exposure - Whitelist allowed IPC channels - Enforce origin and sender validation 3. JavaScript Code Injection via executeJavaScript (Critical) User-controlled values are interpolated into executeJavaScript calls using template literals. Impact: - Direct code injection into page context - Cookie and session theft - Arbitrary script execution Fix: - Never concatenate user input into JavaScript - Use structured messaging (webContents.send) - Serialize data safely (e.g., JSON) HIGH SEVERITY ISSUES Remote Code Execution via Bookmarklets Bookmarklets execute arbitrary JavaScript in any page context without isolation or validation. Fix: - Remove or strictly sandbox bookmarklet execution Widespread XSS (innerHTML misuse) Multiple UI components insert unsanitized data via innerHTML. Fix: - Use textContent instead of innerHTML - Apply proper HTML sanitization (e.g., DOMPurify) No Input Validation on IPC Handlers IPC handlers accept untrusted input without schema validation or bounds checking. Fix: - Enforce strict schemas (Zod, Joi) - Validate all IPC inputs Insecure URL Handling URL validation relies on string matching rather than proper URL parsing. Fix: - Parse URLs using new URL() - Validate scheme and hostname explicitly Directory Traversal in File Operations File paths are not constrained to safe directories. Fix: - Resolve paths and enforce base directory boundaries Plaintext Storage of Sensitive Data Session, history, and bookmark data are stored unencrypted. Fix: - Encrypt sensitive data or minimize stored data - Use OS-backed secure storage when possible Missing Content Security Policy No CSP is set, allowing inline scripts, eval, and easy XSS exploitation. Fix: - Implement a strict CSP - Disallow inline scripts and eval package is not production ready and proves a massive security issue. [1] https://aur.archlinux.org/account/terpinedream/ [2] https://aur.archlinux.org/pkgbase/vitamin-browser/
