Lucene search

K
seebugRootSSV:93021
HistoryApr 24, 2017 - 12:00 a.m.

Chrome Universal XSS via the interception of |Binding| with Object.prototype.create (CVE-2016-1674)

2017-04-2400:00:00
Root
www.seebug.org
7

0.013 Low

EPSS

Percentile

85.9%

VULNERABILITY DETAILS

The fix for the issue 590118 is insufficient to protect against the bindings interception. While they can’t be accessed by triggering accessors on the |modules| object anymore, it’s still possible to trap the set operation for |Binding. create| using the Object. prototype. create. The obtained constructor can then be used to take over the the built-in extensions system and gain access to native functions.

VERSION

Chrome 49.0.2623.108 (Stable)
Chrome 50.0.2661.49 (Beta)
Chrome 51.0.2687.0 (Dev)
Chromium 51.0.2692.0 + Pepper Flash (Release build compiled today)

Attachment: CVE-2016-1674.zip