SecurityAdvisory20160421

Background

There are two issues covered by this advisory:

• SES did not correctly understand variable names written using escaped characters, e.g. \u0077indow, and did not recognize at all the new \u{...} syntax introduced by ECMAScript 2015. This allowed access to host global variables (such as window and document) by spelling them with escaped characters.

• For applications which used the Google API tamings (not enabled by default), the taming of the Charts / Visualization API did not protect against all means of causing chart data to be interpreted as arbitrary HTML.

Impact and Advice

This is a complete breach of the Caja sandbox. All users should immediately upgrade to Caja v6008 or later.

More Information

Discussion of the fix for SES may be found at:

• https://codereview.appspot.com/285330043/
• https://codereview.appspot.com/283510043/

Note that we have included an additional “backstop” protection to reduce the exploitability of any future errors in variable name processing.

Discussion of the fix for Charts taming may be found at:

• https://codereview.appspot.com/286220043/