Hardening of TypedArrays with non-canonical numeric property names in SES

Impact What kind of vulnerability is it? Who is impacted? In Hardened JavaScript, programs can harden objects to safely share objects with co-tenant programs without risk of these other programs tampering with their API surface. Hardening does not guarantee that objects are pure or immutable, so ...

Microsoft Edge Chakra - 'InlineArrayPush' Type Confusion

/ In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots and the pointer to the object array which stores numeric properties. For...

Microsoft Edge Chakra - InlineArrayPush Type Confusion

Microsoft Edge Chakra - InlineArrayPush Type Confusion / In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots and the pointer t...

Microsoft Edge Chakra InlineArrayPush Type Confusion

Microsoft Edge: Chakra: Type confusion with InlineArrayPush CVE-2018-8617 In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots...