You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.
Kevin Reid edited this page Nov 14, 2017
·
1 revision
Background
Browsers have recently added new language features which allow executing code from a string:
the "import" expression, and
async functions and async generators (rather, the corresponding constructors of such functions).
SES, being unaware of these features, could not prevent them from being used to execute arbitrary code.
Impact and Advice
This is a complete breach of the Caja sandbox. All users should immediately upgrade to Caja v6012 or later.
In order to prevent future vulnerabilities of this form, we have switched to having SES and Caja always parse and rewrite the input JS, to guarantee that the input is within the correctly-understood subset of the language. This unfortunately means that source position information in exceptions will not be useful. We are looking into solutions for this problem.