Chrome Universal XSS through adopting image elements (CVE-2016-1667)

VULNERABILITY DETAILS

When a node is being adopted, the tree scope adopter calls |didMoveToNewDocument| on each rescoped node in the tree. The 同理 ， iframe 、 js也采用类似的处理流程 implementation of |didMoveToNewDocument| calls the corresponding method on the related loader, which clears and stops observing the associated image resource. In special circumstances, when the adopted image is the last thing being loaded in the old document and the resource has been evicted from the memory cache, this may end up firing timers and events. This allows an attacker to violate a lot of invariants and corrupt the DOM tree.

VERSION

Chrome 50.0.2661.87 (Stable) Chrome 51.0.2704.22 (Beta) Chrome 51.0.2704.19 (Dev) Chromium 52.0.2715.0 (Release build compiled today)

Attachment: CVE-2016-1667.zip