WireDesktop affected by CVE-2018-1000136 - Electron nodeIntegration Bypass?

[tokariu]

As this CVE got disclosed lately: https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/
i wonder if Wire too is affected like all the other electron based apps.

even though it's very comfortable due to it's portability, electron based apps seem to be a rather bad choice now when it comes to security - and shouldn't Wire take care about security in the first place? do we have alternatives?

[ij0n]

https://twitter.com/pwnsdx/status/996011703384100864 says that wire is not affected
the dev claims that this line:

wire-desktop/electron/main.js

Line 408 in 917afa9

event.preventDefault();

effectively stops the described attack vector.

for now I am inclined to believe this, but I would love to hear a more detailled response from wire

[raphaelrobert]

The code mentioned above prevents a new window from being opened, which was a pre-requisite for the vulnerability to be exploitable.

I will close the ticket, as Wire is not affected by this.