Chrome Security: Universal XSS through removing link elements (CVE-2017-5010)

2017-04-21T00:00:00
ID SSV:92998
Type seebug
Reporter Root
Modified 2017-04-21T00:00:00

Description

VULNERABILITY DETAILS

When a link element is notified about its removal from the tree and the linked stylesheet happens to be the last pending one in the document, the fragment anchor may be updated, which triggers layout updates when it should be forbidden. In special circumstances, the updates may end up resolving a FontFace load promise, which allows an attacker to bypass the ScriptForbiddenScope and corrupt the DOM tree. The exploit circumvents all the nifty protections planned in https://codereview.chromium.org/2478573002/ as a bonus.

VERSION

Chrome 54.0.2840.87 (Stable)
Chrome 55.0.2883.35 (Beta)
Chrome 56.0.2906.0 (Dev)
Chromium 56.0.2914.0 (Release build compiled today)

Attachment: exploit.zip