VULNERABILITY DETAILS From /third_party/WebKit/Source/core/dom/Fullscreen.cpp:
void Fullscreen::didEnterFullscreenForElement(Element* element) { (...) // FIXME: This should not call updateStyleAndLayoutTree. document()->updateStyleAndLayoutTree(); (...) }
Indeed. |didEnterFullscreenForElement| may be called in the middle of a DOM node removal if the node being removed is the active the fullscreen element and there are other fullscreen elements on the Fullscreen::m_fullscreenElementStack (see Fullscreen::exitFullscreen()). In specific circumstances, when the document’s focused node is in a shadow tree with a scheduled update, this synchronous layout update may result in events being dispatched at a wrong time, which allows an attacker to corrupt the DOM tree.
Chrome 54.0.2840.59 (Stable)
Chrome 54.0.2840.59 (Beta)
Chrome 55.0.2883.11 (Dev)
Chromium 56.0.2890.0 (Release build compiled today)
Attachment: exploit.zip