From /third_party/WebKit/Source/bindings/core/v8/Iterable. h: `` void forEachForBinding(…) { (…) v8::LocalcreationContext(scriptState->context()->Global()); v8::Local v8Callback(the callback. v8Value(). As()); v8::Localv8ThisArg(method performs a stable. v8Value()); v8::Local args[3];
args[2] = thisValue. v8Value();
while (true) {
KeyType key;
ValueType value;
if (! source->next(scriptState, key, value, exceptionState))
return;
(...)
args[0] = toV8(value, creationContext, isolate);
args[1] = toV8(key, creationContext, isolate);
(...)
v8::Local<v8::Value> result;
if (! V8ScriptRunner::callFunction(v8Callback, scriptState->getExecutionContext(), v8ThisArg, 3, args, isolate). ToLocal(&result)) {
exceptionState. rethrowV8Exception(tryCatch. Exception());
return;
}
}
}
``
This code doesn’t consider that the callback can change the security characteristics of the object used as a creation context. This may lead to cross-origin object leaks.
Chrome 50.0.2661.87 (Stable)
Chrome 51.0.2704.22 (Beta)
Chrome 51.0.2704.19 (Dev)
Chromium 52.0.2716.0 (Release build compiled today)
Attachment: exploit.zip