Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion

JSPromise::TriggerPromiseReactionsIsolate isolate, Handle reactions, Handle argument, PromiseReaction::Type type DCHECKreactions-IsSmi || reactions-IsPromiseReaction; // We need to reverse the reactions here, since we record them // on the JSPromise in the reverse order. DisallowHeapAllocation...

Google Chrome 72.0.3626.96 74.0.3702.0 - JSPromise::TriggerPromiseReactions Type Confusion

Google Chrome 72.0.3626.96 74.0.3702.0 - JSPromise::TriggerPromiseReactions Type Confusion JSPromise::TriggerPromiseReactionsIsolate isolate, Handle reactions, Handle argument, PromiseReaction::Type type DCHECKreactions-IsSmi || reactions-IsPromiseReaction; // We need to reverse the reactions her...

Google Chrome Type Obfuscation Vulnerability (CNVD-2019-23131)

Google Chrome is a web browser developed by Google Inc. A type confusion vulnerability exists in JSPromise::TriggerPromiseReactions in Google Chrome, which can be exploited by an attacker to gain unauthorized access to data and execute arbitrary code...

Google Chrome 72.0.3626.96 / 74.0.3702.0 - JSPromise::TriggerPromiseReactions Type Confusion

JSPromise::TriggerPromiseReactionsIsolate isolate, Handle reactions, Handle argument, PromiseReaction::Type type DCHECKreactions-IsSmi || reactions-IsPromiseReaction; // We need to reverse the reactions here, since we record them // on the JSPromise in the reverse order. DisallowHeapAllocation...

Chrome JSPromise::TriggerPromiseReactions Type Confusion

Chrome: Type confusion in JSPromise::TriggerPromiseReactions VULNERABILITY DETAILS ==1. TriggerPromiseReactions== https://cs.chromium.org/chromium/src/v8/src/objects.cc?rcl=d24c8dd69f1c7e89553ce101272aedefdb41110d&l=5975 Handle JSPromise::TriggerPromiseReactionsIsolate isolate, Handle reactions,...