Chrome Universal XSS using document.adoptNode (CVE-2015-6770)

VULNERABILITY DETAILS From /thirdparty/WebKit/Source/core/dom/Document.cpp: PassRefPtrWillBeRawPtr Document::adoptNodePassRefPtrWillBeRawPtr source, ExceptionState& exceptionState EventQueueScope scope; switch source-nodeType ... default: ... if source-parentNode...

Design/Logic Flaw

Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact...