Chrome Universal XSS by polluting private scripts with named properties (CVE-2017-5008)

#### VULNERABILITY DETAILS When a private script method is invoked, a ScriptForbiddenScope::AllowUserAgentScript scope is set up to allow running the internal script. It is possible to exploit this scope to execute user code here: ``` static v8::Local<v8::Value> compileAndRunPrivateScript(ScriptState* scriptState, String scriptClassName, const char* source, size_t size) { (...) v8::Local<v8::Context> context = scriptState->context(); v8::Local<v8::Object> global = context->Global(); v8::Local<v8::Value> privateScriptController = global->Get(context, v8String(isolate, "privateScriptController")) .ToLocalChecked(); RELEASE_ASSERT(privateScriptController->IsUndefined() || privateScriptController->IsObject()); if (privateScriptController->IsObject()) { v8::Local<v8::Object> privateScriptControllerObject = privateScriptController.As<v8::Object>(); v8::Local<v8::Value> importFunctionValue = privateScriptControllerObject->Get(context, v8String(isolate, "import")) .ToLocalChecked(); (...) } ``` Even though the context belongs to a private script isolated world, |global->Get(context, v8String(isolate, "privateScriptController"))| can return a DOM node if there's one named "privateScriptController". If the node is a plugin element then |privateScriptControllerObject->Get(context, v8String(isolate, "import"))| will run an interceptor. This allows an attacker to run script in the middle of node adoption and corrupt the DOM tree. #### VERSION Chrome 54.0.2840.99 (Stable) Chrome 55.0.2883.59 (Beta) Chrome 56.0.2924.3 (Dev) Chromium 57.0.2932.0 (Release build compiled today) 附件:[exploit.zip](http://paper.seebug.org/papers/Archive/poc/CVE-2017-5008.zip)