Chrome Universal XSS by circumventing the unload event ( CVE-2016-1623)

#### VULNERABILITY DETAILS From /third_party/WebKit/Source/core/dom/Document.cpp: ``` void Document::dispatchUnloadEvents() { PluginScriptForbiddenScope forbidPluginDestructorScripting; RefPtrWillBeRawPtr<Document> protect(this); if (m_parser) m_parser->stopParsing(); if (m_loadEventProgress == LoadEventNotRun) return; if (m_loadEventProgress <= UnloadEventInProgress) { (...) if (m_loadEventProgress < PageHideInProgress) { (...) } m_loadEventProgress = UnloadEventHandled; } (...) } ``` If this method is called while the document's |m_loadEventProgress| is still at |LoadEventNotRun| then it returns without advancing |m_loadEventProgress|. It is possible to take this branch by calling document.open() (which sets |m_loadEventProgress| to LoadEventNotRun), and then navigating the document without the body element (the presence of which would allow |m_loadEventProgress| to change to BeforeUnloadEventCompleted before Document::dispatchUnloadEvents is called). Since FrameLoader::prepareForCommit relies on Document::dispatchUnloadEvents to advance |m_loadEventProgress| to block the creation of new frames, this allows an attacker to attach subframes that will persist in the frame tree of a cross-origin document. #### VERSION Chrome 47.0.2526.106 (Stable) Chrome 48.0.2564.71 (Beta) Chrome 49.0.2618.8.0 (Dev) Chromium 49.0.2621.0 (Release build compiled today) 附件：[CVE-2016-1623.zip](http://paper.seebug.org/papers/Archive/poc/CVE-2016-1623.zip)