In fact, a good number of Electron apps, including Signal and Slack, are confirmed not vulnerable to this particular bug, despite the misleading way the report was written. (There's another bug being talked about which is adding to the confusion).
The authors of this report should update it to clarify, rather than simply naming the most popular Electron apps as a means of whipping up attention.
can allow for remote code execution provided that the application is using a vulnerable version of Electron (version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3) , and hasn't manually opted into one of the following:
* Declared webviewTag: false in its webPreferences.
* Enabled the nativeWindowOption option in its webPreferences.
* Intercepting new-window events and overriding event.newGuest without using the supplied options tag.
These aren't old versions - 2 months in one case.