- Exploit code for a vulnerability in Firefox, found by saelo and coinbase security.
- IonMonkey does not check for indexed elements on the current element’s prototypes, and only checks on ArrayPrototype. This leads to type-confusion after inlining
- We confuse a
Uint8Arrayto get a overflow in an
ArrayBufferand proceed to convert this to arbitrary read-write and execute shellcode.