Enabling Node.js integration in Electron web content renderers (BrowserWindow, BrowserView and webview) can result in remote native code execution attacks. The attack is realized when the renderer uses content from an untrusted remote web site or a trusted site with a cross site scripting vulnerability.

Node.js integration should be disabled when loading remote web sites. Always set nodeIntegration preference to false before loading remote web sites, and only enable it for whitelisted sites.

Note that the nodeIntegration property is enabled by default in Electron and needs to be set to false explicitly.

The following examples shows insecure and secure uses of BrowserWindow and BrowserView when loading remote web sites:

Electron Documentation: Security, Native Capabilities, and Your Responsibility