Chrome Universal XSS through bypassing ScopedPageSuspender with closing windows (CVE-2017-5007)

ID SSV:92996
Type seebug
Reporter Root
Modified 2017-04-21T00:00:00



ScopedPageSuspender works by taking pages from Page::ordinaryPages() and marking them as suspended. When the window. close() is called, the following operations are performed:

From /third_party/WebKit/Source/web/ChromeClientImpl.cpp: `` void ChromeClientImpl::closeWindowSoon() { // Make sure this Page can no longer be found by JS. m_webView->page()->willBeClosed();

// Make sure that all loading is stopped. Ensures that JS stops executing! m_webView->mainFrame()->stopLoading();

if (m_webView->client()) m_webView->client()->closeWidgetSoon(); } ``

|m_webView->page()->willBeClosed()| removes the associated page from the ordinaryPages set. Therefore, suspenders instantiated later, for example during |m_webView->mainFrame()->stopLoading()|, won't include the closing page. This allows an attacker to circumvent the All and perform synchronous loads in unexpected circumstances.


Chrome 55.0.2883.75 (Stable)
Chrome 55.0.2883.75 (Beta)
Chrome 56.0.2924.14 (Dev)
Chromium 57.0.2943.0 + Pepper Flash (Release build compiled today)