Security researchers Chris Rohlf and Yan
Ivnitskiy of Matasano Security reported that when a
JavaScript Array
object had its length set to an
extremely large value, the iteration of array elements that occurs
when its reduceRight
method was subsequently called could
result in the execution of attacker controlled memory due to an
invalid index value being used to access element properties.