Opened 22 months ago
Closed 22 months ago
#16707 closed enhancement (fixed)
JS-91.11.0
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | 11.2 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Now that firefox-102.0esr is available, a separate ticket for JS91.
Some small changes in the js/src code, one of which I interpret as a hardening fix -
" (default false).\n" " useWindowProxy: the global will be created with a WindowProxy attached. In this\n" " case, the WindowProxy will be returned.\n" +" freezeBuiltins: certain builtin constructors will be frozen when created and\n" +" their prototypes will be sealed. These constructors will be defined on the\n" +" global as non-configurable and non-writable.\n" " immutablePrototype: whether the global's prototype is immutable.\n" " principal: if present, its value converted to a number must be an\n" " integer that fits in 32 bits; use that as the new realm's\n"
Change History (3)
comment:1 by , 22 months ago
comment:3 by , 22 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
"If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution."
In the absence of analysis I'm going to mark that as High.
SA 11.1-067
Note:
See TracTickets
for help on using tickets.
Replying to ken@…:
Now that firefox release notes are available, this is CVE-2022-2200 which mozilla rate as 'moderate' (might only be medium, or might be high)