2 matches found
Chrome Universal XSS via the interception of |Binding| with Object.prototype.create (CVE-2016-1674)
VULNERABILITY DETAILS The fix for the issue 590118 is insufficient to protect against the bindings interception. While they can't be accessed by triggering accessors on the |modules| object anymore, it's still possible to trap the set operation for |Binding. create| using the Object. prototype...
Chrome Universal XSS using a FrameNavigationDisabler bypass (CVE-2016-1673)
VULNERABILITY DETAILS When a top-level navigation is triggered on a frame displaying the initial empty document, FrameLoader::load is invoked directly: void LocalFrame::navigateDocument& originDocument, const KURL& url, bool replaceCurrentItem, UserGestureStatus userGestureStatus ... if isMainFra...