Skip to content

Latest commit

 

History

History
16 lines (10 loc) · 792 Bytes

README.md

File metadata and controls

16 lines (10 loc) · 792 Bytes

Universal XSS via the interception of |Binding| with Object.prototype.create

Reported by mailto:[email protected], Mar 26 2016

VULNERABILITY DETAILS

The fix for issue 590118 is insufficient to protect against bindings interception. While they can't be accessed by triggering accessors on the |modules| object anymore, it's still possible to trap the set operation for |Binding.create| using Object.prototype.create. The obtained constructor can then be used to take over the the built-in extensions system and gain access to native functions.

VERSION

Chrome 49.0.2623.108 (Stable) Chrome 50.0.2661.49 (Beta) Chrome 51.0.2687.0 (Dev) Chromium 51.0.2692.0 + Pepper Flash (Release build compiled today)

Link: https://bugs.chromium.org/p/chromium/issues/detail?id=598165