1110 - WebKit: UXSS via ContainerNode::parserRemoveChild - project-zero

Starred by 2 users

Status:	Fixed
Owner:	lokihardt@google.com
Closed:	Mar 2017
Cc:	project-...@google.com
Deadline-90 Vendor-Apple CCProjectZeroMembers Severity-High Product-WebKit Finder-lokihardt Reported-2017-Feb-02 CVE-2017-2475

WebKit: UXSS via ContainerNode::parserRemoveChild

Project Member Reported by lokihardt@google.com, Feb 2 2017

Back to list

This is a regression test from https://crbug.com/456518.

ContainerNode::parserRemoveChild doesn't detach subframes unlike ContainerNode::removeChild. As a result, it could lead to UXSS.

Tested on Safari 10.0.3(12602.4.8).


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Project Member Comment 1 by lokihardt@google.com, Mar 27 2017

Labels: CVE-2017-2475
Status: Fixed

Project Member Comment 2 by lokihardt@google.com, Apr 7 2017

WebKit Tracker: https://bugs.webkit.org/show_bug.cgi?id=168490

Project Member Comment 3 by lokihardt@google.com, May 4 2017

Labels: -Restrict-View-Commit

► Sign in to add a comment