Chrome Universal XSS using an <input type="color"> element (CVE-2016-5208)

VULNERABILITY DETAILS

When an input element is removed, the popup is closed during the layout tree detach:

void HTMLInputElement::detachLayoutTree(const AttachContext& context) { HTMLTextFormControlElement::detachLayoutTree(context); m_needsToUpdateViewValue = true; m_inputTypeView->closePopupView(); }

If the chooser is still being displayed, its associated popup is torn down and the client (ColorChooserPopupUIController for inputs of type “color”) is notified:

void WebPagePopupImpl::closePopup() { // This function can be called in EventDispatchForbiddenScope for the main // the document, and the following operations dispatch some events. It's safe // because web authors can't listen to the events. EventDispatchForbiddenScope::AllowUserAgentEvents allowEvents; (...) m_popupClient->didClosePopup(); m_webView->cleanupPagePopup(); }

The notification is propagated back to the input type, which may dispatch a change event to the input element if its value has changed recently:

void ColorInputType::didEndChooser() { EventQueueScope scope; if (LayoutTheme::theme(). isModalColorChooser()) element(). dispatchFormControlChangeEvent(); m_chooser. clear(); }

An attacker can exploit this synchronous event to corrupt the DOM tree.

VERSION

Chrome 54.0.2840.59 (Stable)
Chrome 55.0.2883.21 (Beta)
Chrome 56.0.2896.3 (Dev)
Chromium 56.0.2899.0 (Release build compiled today)

Attachment: exploit.zip