Flash Browser is built on Electron 9.4.4, which reached end-of-life in March 2021.

This application should ONLY be used in isolated, sandboxed environments such as virtual machines. Do not use this application for accessing sensitive data, important accounts, or production systems.

• Electron 9.4.4 (EOL: March 2021) - No security patches available
• Adobe Flash Player (EOL: January 12, 2021) - No longer supported by Adobe
• Node.js 12.14 - Bundled with Electron 9, also reached EOL

To support PPAPI Flash Player plugins, the following security flags are required and cannot be disabled:

As of the last update, the following known vulnerabilities exist:

• Status: Abandoned package (last update: 4+ years ago)
• Vulnerabilities: 44 known issues
• Impact: Core navigation system, cannot be removed without complete rewrite
• Mitigation: Used in controlled environment only

• Peer Dependency Mismatch: Requires Electron >11, running on 9.4.4
• Status: Working but unsupported configuration
• Mitigation: Can be disabled if compatibility issues arise (see lines 316-321 in index.js)

• Total vulnerabilities: 29 (1 low, 9 moderate, 15 high, 4 critical)
• These are primarily transitive dependencies with no fixes available for Electron 9

Despite the constraints of Electron 9 EOL status, the following security hardening measures have been implemented:

1. URL Validation

   • Command-line argument validation for SWF file paths
   • URL sanitization before setting favorites/homepage
   • Path traversal detection and warnings

2. Content Security Policy

   • CSP headers added for non-Flash content
   • Object source restrictions where possible
   • Script source validation

3. Error Handling

   • Try-catch blocks around all remote module calls
   • IPC communication error handling
   • Plugin loading failure detection

4. Input Sanitization

   • URL input validation in navigation bar
   • Protocol checking (http/https/file only)
   • Empty input rejection

• Node.js engine version constraints (12.14.0 to <16.0.0)
• Documented security trade-offs in code comments
• Error logging for security-related failures

❌ DO NOT USE FOR:

• Banking or financial services
• Sensitive personal data
• Production environments
• Public-facing systems
• Systems with access to important data

✅ Appropriate for:

• Running legacy Flash games in isolated VMs
• Flash content preservation and archival
• Educational purposes in sandboxed environments
• Testing and development of Flash content

Required setup:

- Run FlashBrowser inside a dedicated VM
- Use snapshots before each session
- No shared folders with host system
- No access to sensitive files/networks
- Isolated network segment if possible

• Use firewall rules to restrict outbound connections
• Consider VPN or proxy for Flash game sites
• Monitor network traffic for suspicious activity
• Block access to internal networks/resources

• Never enter passwords or sensitive information
• Do not access email, cloud storage, or authenticated services
• Clear cache regularly (Ctrl+Shift+F10)
• Do not download files to important directories

• Monitor system resource usage for abnormal behavior
• Check running processes regularly
• Review logs for suspicious activity
• Keep VM snapshots for easy rollback

If you discover a security vulnerability in FlashBrowser, please report it by:

1. Opening an issue on the GitHub repository
2. Tagging as security and vulnerability
3. Providing details:
   • Steps to reproduce
   • Potential impact
   • Affected versions
   • Suggested mitigations (if any)

Please do not publicly disclose exploit code or detailed attack techniques without giving maintainers time to respond (reasonable disclosure period: 90 days).

The following Common Vulnerabilities and Exposures (CVEs) affect Electron 9.x and have no available patches:

• Various remote code execution vulnerabilities
• Cross-site scripting (XSS) vulnerabilities in webviews
• Privilege escalation issues
• Information disclosure vulnerabilities

For a complete list of Electron 9 CVEs, see:

• CVE Details - Electron
• Electron Security Advisories

Adobe Flash Player has thousands of known CVEs dating back decades. Notable recent CVEs before EOL include:

• CVE-2020-9746 (RCE)
• CVE-2020-9633 (RCE)
• CVE-2020-9632 (Information Disclosure)

Q: Why not upgrade to the latest Electron?

A: PPAPI plugin support (required for Flash Player) was completely removed in Electron 10. No version after 9.x supports PPAPI plugins. Upgrading to Electron 10+ would break Flash functionality entirely.

Q: Why not migrate to Ruffle (WebAssembly Flash emulator)?

A: Ruffle is an excellent alternative for many use cases, but it:

• Has incomplete Flash API coverage
• May not support all legacy Flash content
• Requires significant code refactoring
• Is a different approach than native PPAPI plugins

Users who don't need native Flash plugin support should consider using Ruffle instead.

When Flash support is no longer required, the recommended migration path is:

1. Upgrade to Electron LTS (latest supported version)
2. Enable modern security features:
   • contextIsolation: true
   • nodeIntegration: false
   • Remove enableRemoteModule
   • Enable sandbox mode
   • Enable site isolation
3. Replace electron-navigation with modern alternatives
4. Remove Flash-specific code and dependencies
5. Implement Content Security Policy fully
6. Add security-focused preload scripts

• Electron Security Best Practices
• OWASP Top 10
• NIST Cybersecurity Framework
• Flash Player EOL Information

For security-related questions or concerns, please open an issue on the GitHub repository with the security label.

Last Updated: January 2026 Electron Version: 9.4.4 (EOL) Flash Player Version: 32.0.0.465 (EOL)