Electron , the exploitation system employ for the Discord desktop customer , attain the commencement security system trouble . The JavaScript model victimized by Electron — an opened informant opening move to shape crisscross - platform lotion open of tackle JavaScript , Markup , and Cs — was spare locally because the net software program is not out-of-doors reservoir , and could be transfer and examine . Kinugawa was grant $ 5,000 by Discord for his study , alongside $ 300 by the Sketchfab team up for the XSS fault revelation , right away piece . “ The contextIsolation was enable after a flake , ” the hemipteran bounty Orion say . respective calendar month ago , wiretap bounty huntsman Masato Kinugawa make an work chain starring to RCE and print a weekend web log postal service excuse the technical specific of the march , which comprise various pester . This go Sketchfab , a three-D fabric witness , to Kinugawa . The developer remote the Sketchfab imbed after the Discord team triaged the vulnerability and hold in their validity , enforce a sandbox assign to the iframe . The functionality was acquire to merged respective context between network foliate and cipher in JavaScript . Sketchfab is whitelisted in the cloth auspices insurance policy of Discord and can be admit in the iframe — but it could feat a DOM - found XSS come across in the plant tab . Through Discord ’s Bug Bounty dodging , Kinugawa mail his nock . Electron ’s “ will - pilot ” job has been puzzle out A good . at present , the research worker take a right smart to fulfill JavaScript on the lotion , leading to the discovery of a Cross - site script ( XSS ) job in the iframe plant mapping , expend to prospect video in chat when a uniform resource locator is apportion , such as one from YouTube . At to the lowest degree , in Electron ’s “ will - sail ” consequence code , not until Kinugawa get along across a pilotage confinement workaround . “ today , even out though I might carry out arbitrary JavaScript on the app , the overrule JavaScript construct - in method acting do not have RCE to pass . ” This swear out misplay , traverse as CVE-2020 - 15174 , unite with the early two exposure , enable Kinugawa to action an RCE aggress by hem in pilotage limitation and get at a entanglement pageboy take the RCE payload utilize the iframe XSS flaw . One of the mount in Discord ‘s negatron fabricate , “ contextIsolation , ” was prepare to assumed , which might induce interior encrypt , such as the Node.js functionality , to touch JavaScript cypher outside the app . This alone give up the hemipteron bountifulness hunter to action JavaScript in the iframe , all the same , and and then it was quiet not potential for the Discord background app to reach accomplished RCE . This demeanour is speculative since Electron set aside the JavaScript inscribe outside of vane paginate to utilize the functionality of Node.js no matter of the [ nodeIntegration ] alternative , and it may be potential to accomplish RCE by step in with them from the overrule run on the entanglement Page tied if the nodeIntegration is primed to simulated , “ Kinugawa clear up . ”