It was found that electrum before 3.0.4 allowed CORS for the JSON-RPC server. This allows malicious users to possibly access wallets via the local RPC ports. Upstream issue: https://github.com/spesmilo/electrum/issues/3374
Created electrum tracking bugs for this issue: Affects: fedora-26 [bug 1532555]
electrum-3.0.5-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
This bug have been fixed in all supported versions of Fedora.