VULNERABILITY DETAILS
From /third_party/WebKit/Source/core/dom/Fullscreen.cpp:
```
void Fullscreen::didEnterFullscreenForElement(Element* element) {
(...)
// FIXME: This should not call updateStyleAndLayoutTree.
document()->updateStyleAndLayoutTree();
(...)
}
```
Indeed. |didEnterFullscreenForElement| may be called in the middle of DOM node removal if the node being removed is the active fullscreen element and there are other fullscreen elements on the Fullscreen::m_fullscreenElementStack (see Fullscreen::exitFullscreen()). In specific circumstances, when the document's focused node is in a <use> shadow tree with a scheduled update, this synchronous layout update may result in events being dispatched at a wrong time, which allows an attacker to corrupt the DOM tree.
#### VERSION
Chrome 54.0.2840.59 (Stable)
Chrome 54.0.2840.59 (Beta)
Chrome 55.0.2883.11 (Dev)
Chromium 56.0.2890.0 (Release build compiled today)
附件:[exploit.zip](http://paper.seebug.org/papers/Archive/poc/CVE-2016-5207/exploit.zip)
京公网安备 11010502034610号
暂无评论