Mitigating CVE-2023-4863 in Webview2 and CEF 102 with Fixed Runtimes #4222
-
|
Our Windows application hosts internal JavaScript and allows customers to launch their own URLs through Webview2 and CEF 102 fixed runtime versions. While LibWebP isn't explicitly available in the Webview2 fixed runtime, our understanding is that it's used internally within both Webview2 and CEF frameworks. Given the security issue CVE-2023-4863 affecting LibWebP, we're unsure whether upgrading to the latest Webview2 and CEF versions is necessary to mitigate the risk. Can you please advise on this matter and also suggest if we have any work around to avoid without upgrading the fixed runtime for existing customers? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
@LiangTheDev do you have any advice for @JamesJPrasanna ? |
Beta Was this translation helpful? Give feedback.
-
|
As the issue has been fixed in Chrome 116 according to https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html (linked from CVE-2023-4863), the same fix should be in Edge 116. So, updating to latest Edge WebView2 Runtime should mitigate the risk. |
Beta Was this translation helpful? Give feedback.
As the issue has been fixed in Chrome 116 according to https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html (linked from CVE-2023-4863), the same fix should be in Edge 116. So, updating to latest Edge WebView2 Runtime should mitigate the risk.
When using fixed version runtime, that runtime would not change behavior without replacing it. If we use evergreen WebView2 runtime, it would be auto updated and we would not have to worry about issues like this.