### Impact
This vulnerability allows renderers to obtain access to a random bluetooth device via the [web bluetooth API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Bluetooth_API) if the app has not configured a custom `select-bluetooth-device` event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

### Patches
This has been patched and the following Electron versions contain the fix:
* `17.0.0-alpha.6`
* `16.0.6`
* `15.3.5`
* `14.2.4`
* `13.6.6`

### Workarounds
Adding this code to your app can workaround the issue.

“`js
app.on(‘web-contents-created’, (event, webContents) => {
webContents.on(‘select-bluetooth-device’, (event, devices, callback) => {
// Prevent default behavior
event.preventDefault();
// Cancel the request
callback(”);
});
});
“`

For more information
If you have any questions or comments about this advisory, email us at [email protected].