Lucene search

K
seebugRootSSV:93000
HistoryApr 21, 2017 - 12:00 a.m.

Chrome Universal XSS via fullscreen element updates (CVE-2016-5207)

2017-04-2100:00:00
Root
www.seebug.org
11

0.01 Low

EPSS

Percentile

81.7%

VULNERABILITY DETAILS From /third_party/WebKit/Source/core/dom/Fullscreen.cpp:

void Fullscreen::didEnterFullscreenForElement(Element* element) { (...) // FIXME: This should not call updateStyleAndLayoutTree. document()->updateStyleAndLayoutTree(); (...) }

Indeed. |didEnterFullscreenForElement| may be called in the middle of a DOM node removal if the node being removed is the active the fullscreen element and there are other fullscreen elements on the Fullscreen::m_fullscreenElementStack (see Fullscreen::exitFullscreen()). In specific circumstances, when the document’s focused node is in a shadow tree with a scheduled update, this synchronous layout update may result in events being dispatched at a wrong time, which allows an attacker to corrupt the DOM tree.

VERSION

Chrome 54.0.2840.59 (Stable)
Chrome 54.0.2840.59 (Beta)
Chrome 55.0.2883.11 (Dev)
Chromium 56.0.2890.0 (Release build compiled today)

Attachment: exploit.zip

0.01 Low

EPSS

Percentile

81.7%