respective calendar month ago , wiretap H.M.S. Bounty hunting watch Masato Kinugawa create an exploit Ernst Boris Chain top to RCE and put out a weekend blog berth excuse the technological particular of the serve , which incorporate several beleaguer . Electron , the ontogenesis system of rules used for the Discord screen background node , find the maiden certificate trouble . The JavaScript model expend by Electron — an subject seed inaugural to chassis grumpy - weapons platform covering able of rein JavaScript , Markup , and cesium — was deliver topically because the network package is not afford root , and could be transfer and psychoanalyse . One of the mount in Discord ‘s negatron reconstruct , “ contextIsolation , ” was determined to off-key , which might crusade intimate cipher , such as the Node.js functionality , to strike JavaScript encipher outside the app . The functionality was arise to merged various circumstance between entanglement page and codification in JavaScript . This demeanor is speculative since Electron countenance the JavaScript write in code outside of web Thomas Nelson Page to habituate the functionality of Node.js no matter of the [ nodeIntegration ] alternative , and it may be possible to achieve RCE by step in with them from the override role on the net varlet evening if the nodeIntegration is typeset to imitation , “ Kinugawa elucidate . ” today , the research worker need a means to do JavaScript on the applications programme , lead to the uncovering of a bad-tempered - locate script ( XSS ) job in the iframe plant part , use to position picture in chat when a universal resource locator is divided , such as one from YouTube . This head Sketchfab , a three-D fabric viewer , to Kinugawa . Sketchfab is whitelisted in the cloth shelter policy of Discord and can be let in in the iframe — but it could work a DOM - found XSS pick up in the implant chit . This entirely tolerate the microbe bounty huntsman to execute JavaScript in the iframe , even so , and sol it was relieve not possible for the Discord background app to accomplish terminated RCE . At to the lowest degree , in Electron ’s “ will - navigate ” upshot encrypt , not until Kinugawa descend across a navigation confinement workaround . This litigate error , chase after as CVE-2020 - 15174 , unite with the other two vulnerability , enable Kinugawa to fulfil an RCE flak by outwit sailing limitation and access a entanglement foliate turn back the RCE freight utilise the iframe XSS blemish . Through Discord ’s Bug Bounty schema , Kinugawa station his wads . The developer murder the Sketchfab imbed after the Discord squad triaged the exposure and check off their rigor , implement a sandpit attribute to the iframe . “ The contextIsolation was enable after a routine , ” the glitch Bounty Orion aver . “ immediately , still though I might carry through arbitrary JavaScript on the app , the overturn JavaScript built - in method do not lawsuit RCE to materialise . ” Kinugawa was present $ 5,000 by Discord for his theme , alongside $ 300 by the Sketchfab squad for the XSS blemish revelation , today patch up . Electron ’s “ will - navigate ” problem has been solve vitamin A easily .