There is an info leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.
A minimal PoC is as follows:
var once = false;
var a = 1;
a = new Array(1, 2, 3);
this = a;
once = true;
JSON.parse("[1, 2, [4, 5]]", f);
A full PoC is attached. When loaded in a browser, this PoC will delay pointers in an alert dialog.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.