Chrome Universal XSS by intercepting... CVE-2016-5204 CNNVD-201612-045
#### VULNERABILITY DETAILS When an event is dispatched to an element in a SVG <use> shadow tree, Event::currentTarget returns the original corresponding node, but Event::target doesn't make any attempt to redirect access. Therefore, the tree can be trivially leaked like this: ``` <svg> <g id="a"> <image href="" onerror="if (event.currentTarget !== event.target) {alert(event.target.parentNode.parentNode)}"> </g> <use href="#a"> </svg> ``` Gaining access to the internal shadow tree allows an attacker to manipulate it in a way that allows triggering focus events in theoretically impossible circumstances, which may lead to DOM tree corruption. #### VERSION Chrome 52.0.2743.82 (Stable) Chrome 52.0.2743.82 (Beta) Chrome 53.0.2785.21 (Dev) Chromium 54.0.2806.0 (Release build compiled today) 附件:[exploit.zip](http://paper.seebug.org/papers/Archive/poc/CVE-2016-5204.zip)
