CVE-2016-10604
CVE-2016-10604
In short
dalek-browser-chrome downloads browser files over unencrypted HTTP, allowing attackers on the network to intercept and replace them with malicious versions, potentially executing harmful code on your computer.
Technical detail
CWE-311: Missing Encryption of Sensitive Data. dalek-browser-chrome retrieves binary resources via HTTP without encryption, enabling MITM attacks where an attacker with network position can replace legitimate binaries with malicious payloads, resulting in arbitrary code execution in the context of the application.
Summary generated and translated by AI from the official description.
dalek-browser-chrome is Google Chrome bindings for DalekJS. dalek-browser-chrome downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Affected products
HackerOne · dalek-browser-chrome node moduleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://nodesecurity.io/advisories/199