Chrome Universal XSS using widget updates in ContainerNode::parserRemoveChild (CVE-2016-1630)

ID SSV:93026
Type seebug
Reporter Root
Modified 2017-04-24T00:00:00



There are 3 methods where ContainerNode::removeBetween is invoked:

  1. ContainerNode::removeChild
  2. ContainerNode::parserRemoveChild
  3. ContainerNode::removeChildren

The calls in #1 and #3 are within the scope of HTMLFrameOwnerElement::UpdateSuspendScope, but #2 is unprotected. Thus, if the parser removes a plugin node with an associated widget (plugins may take a while to load, but it's easy to handle with the document. write, where the timing of the parser actions can be arbitrarily controlled), updates fired during the detachment can corrupt the DOM tree.


Chrome 46.0.2490.86 (Stable)
Chrome 47.0.2526.69 (Beta)
Chrome 48.0.2564.10 (Dev)
Chromium 49.0.2572.0 + Pepper Flash (Release build compiled today)

Attachment: CVE-2016-1630