[electron] Renderers can obtain access to random bluetooth device without permission in Electron

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

• 17.0.0-alpha.6
• 16.0.6
• 15.3.5
• 14.2.4
• 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.

References

• https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749
• https://nvd.nist.gov/vuln/detail/CVE-2022-21718
• https://github.com/electron/electron/pull/32178
• https://github.com/electron/electron/pull/32240
• https://github.com/advisories/GHSA-3p22-ghq8-v749