(This fix and CVE number for this issue are not known)
postMessage method, the code in blink does not handle
correctly and attempts to serialize this kind of object as a regular object,
which results in a bad cast. An attacker that can trigger this issue may be
able to execute arbitrary code.
<script> postMessage(Symbol()); </script>
The repro causes a call to
blink:: (found in
This method creates a
Serializer object for the "script value" of the symbol.
blink::`anonymous namespace'::Serializer:: (found in
the code attempts to determine the type of object being serialized and runs
specific code to to serialize each type. This code does not distinguish between
Symbol and a regular object, and therefor runs code designed to handle the
later to serialize the former. This results in a bad cast to a
The exploitability of a bad cast depends on many things, including what properties and methods the real object type and the object type it was cast to have, how much control an attacker has over the values of properties of the object, how the code proceeds to use the badly cast object, compiler optimizations, heap management, etc... Without further investigation it is impossible to say what an attacker could gain from exploiting this vulnerability. In this specific case, I did not have time to investigate exploitability on Google Chrome releases, so I cannot proof this is actually exploitable.