[PRQ#78659] Deletion Request for vitamin-browser
terpinedream [1] filed a deletion request for vitamin-browser [2]: CRITICAL ISSUES 1. Electron Sandbox Disabled (Critical) The application conditionally launches Electron with --no-sandbox on Linux when unprivileged user namespaces are unavailable. Impact: - Removes Electron’s primary security boundary - Renderer compromise results in full system compromise - Breaks Electron’s security model Fix: - Never disable sandboxing - Handle restricted environments without removing security boundaries 2. Full IPC Exposure to Web Content (Critical) The preload script exposes unrestricted ipcRenderer to window.chrome, allowing any website to call any IPC handler. Impact: - Arbitrary IPC invocation from web content - Access to file operations, navigation, cookies, and data deletion - Enables RCE via bookmarklet and executeJavaScript handlers - Complete browser takeover from a malicious site Fix: - Remove direct IPC exposure - Whitelist allowed IPC channels - Enforce origin and sender validation 3. JavaScript Code Injection via executeJavaScript (Critical) User-controlled values are interpolated into executeJavaScript calls using template literals. Impact: - Direct code injection into page context - Cookie and session theft - Arbitrary script execution Fix: - Never concatenate user input into JavaScript - Use structured messaging (webContents.send) - Serialize data safely (e.g., JSON) HIGH SEVERITY ISSUES Remote Code Execution via Bookmarklets Bookmarklets execute arbitrary JavaScript in any page context without isolation or validation. Fix: - Remove or strictly sandbox bookmarklet execution Widespread XSS (innerHTML misuse) Multiple UI components insert unsanitized data via innerHTML. Fix: - Use textContent instead of innerHTML - Apply proper HTML sanitization (e.g., DOMPurify) No Input Validation on IPC Handlers IPC handlers accept untrusted input without schema validation or bounds checking. Fix: - Enforce strict schemas (Zod, Joi) - Validate all IPC inputs Insecure URL Handling URL validation relies on string matching rather than proper URL parsing. Fix: - Parse URLs using new URL() - Validate scheme and hostname explicitly Directory Traversal in File Operations File paths are not constrained to safe directories. Fix: - Resolve paths and enforce base directory boundaries Plaintext Storage of Sensitive Data Session, history, and bookmark data are stored unencrypted. Fix: - Encrypt sensitive data or minimize stored data - Use OS-backed secure storage when possible Missing Content Security Policy No CSP is set, allowing inline scripts, eval, and easy XSS exploitation. Fix: - Implement a strict CSP - Disallow inline scripts and eval package is not production ready and proves a massive security issue. [1] https://aur.archlinux.org/account/terpinedream/ [2] https://aur.archlinux.org/pkgbase/vitamin-browser/
Request #78659 has been Rejected by Muflone [1]: invalid request, this related to the software author, not the package itself [1] https://aur.archlinux.org/account/Muflone/
My personal opinions of the software author aside, this browser is storing user credentials in plain text, there’s no input validation, and the author is primarily promoting this to kids. It’s dangerous in its current state and it should be made more clear this is NOT production software. I’d be happy to share my full security audit if you’re curious of specific issues or vulnerabilities. There’s about 50 of them. Thanks, Buster On Sat, Jan 10, 2026 at 12:28 PM <notify@aur.archlinux.org> wrote:
Request #78659 has been Rejected by Muflone [1]:
invalid request, this related to the software author, not the package itself
participants (2)
-
Brenden Panageas
-
notify@aur.archlinux.org