Reported by mailto:[email protected], Oct 14 2016
From /third_party/WebKit/Source/core/dom/Fullscreen.cpp:
void Fullscreen::didEnterFullscreenForElement(Element\* element) {
(...)
// FIXME: This should not call updateStyleAndLayoutTree.
document()->updateStyleAndLayoutTree();
(...)
}Indeed. didEnterFullscreenForElement may be called in the middle of DOM node removal if the node being removed is the active fullscreen element and there are other fullscreen elements on the Fullscreen::m_fullscreenElementStack (see Fullscreen::exitFullscreen()). In specific circumstances, when the document's focused node is in a <use> shadow tree with a scheduled update, this synchronous layout update may result in events being dispatched at a wrong time, which allows an attacker to corrupt the DOM tree.
Chrome 54.0.2840.59 (Stable) Chrome 54.0.2840.59 (Beta) Chrome 55.0.2883.11 (Dev) Chromium 56.0.2890.0 (Release build compiled today)
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=655904