Case Study of JavaScript Engine Vulnerabilities
V8
CVE Number | Feature | Keywords | Credit |
---|---|---|---|
CVE-2013-6632 | TypedArray | Integer Overflow, OOB | Pinkie Pie |
CVE-2014-1705 | TypedArray | Invalid Array Length, OOB | geohot |
CVE-2014-3176 | Array.concat | Side Effect, OOB | lokihardt |
CVE-2014-7927 | Optimization | asm.js, OOB | Christian Holler |
CVE-2014-7928 | Optimization | Array | Christian Holler |
CVE-2015-1233 | Optimization | Array, OOB | ? |
CVE-2015-1242 | Optimization | Array, Type Confusion | fcole@onshape.com |
CVE-2015-6764 | JSON.stringify | Side Effect, OOB, | Guang Gong [1] |
CVE-2015-6771 | TypedArray.map | Prototype, OOB | ? |
CVE-2015-8584 | JSON.stringify | Side Effect, OOB | ? |
CVE-2016-1646 | Array.concat | Side Effect, OOB | Wen Xu [2] |
CVE-2016-1653 | Optimization | asm.js, TypedArray, OOB | Choongwoo Han [6] |
CVE-2016-1665 | Optimization | asm.js | HyungSeok Han [6] |
CVE-2016-1669 | RegExp | Heap Overflow, Integer Overflow | Choongwoo Han [6] |
CVE-2016-1677 | decodeURI | Side Effect, Information Leak | Guang Gong [1] |
CVE-2016-1688 | RegExp | Max Korenko | |
CVE-2016-5129 | Array | Side Effect | Jeonghoon Shin |
CVE-2016-5172 | Parser | Scope, eval | Choongwoo Han [6] |
CVE-2016-5198 | Optimization | parseInt, Compiler, OOB | Tencent Keen Security Lab |
CVE-2016-5200 | Optimization | asm.js TypedArray, OOB | Choongwoo Han [6] |
CVE-2016-9651 | Object.assign | Logic, Property | Guang Gong [1] |
CVE-2017-5030 | Array.concat | Side Effect, OOB | Brendon Tiszka |
CVE-2017-5040 | Array.indexOf | TypedArray, Side Effect, Buffer Neutering | Choongwoo Han |
CVE-2017-5053 | Array.indexOf | Side Effect | Team Sniper [2] |
CVE-2017-5070 | Optimization | Array, Type Confusion | Zhao Qixun [5] |
CVE-2017-5071 | Compiler | OOB | Choongwoo Han |
CVE-2017-5088 | wasm | Information Leak | Xiling Gong [7] |
CVE-2017-5098 | Parser | Use After Free | Jihoon Kim [6] |
CVE-2017-5115 | Compiler | OOB | Marco Giovannini |
CVE-2017-5116 | wasm | Race Condition | Guang Gong [1] |
CVE-2017-5121 | Compiler | Uninitialized Memory | Jordan Rabet [9] |
CVE-2017-5122 | wasm | Side Effect, OOB | Choongwoo Han [8] |
CVE-2017-15401 | wasm | Side Effect, OOB | ? |
ChakraCore
CVE Number | Feature | Keywords | Credit |
---|---|---|---|
CVE-2016-3386 | Spread Operator | Array, Proxy, Stack Overflow | Richard Zhu |
CVE-2016-7189 | Array.join | Information Leak | Natalie Silvanovich [3] |
CVE-2016-7190 | Array.map | Heap Overflow | Natalie Silvanovich [3] |
CVE-2016-7194 | Function.apply | Information Leak | Natalie Silvanovich [3] |
CVE-2016-7200 | Array.filter | Heap Corruption | Natalie Silvanovich [3] |
CVE-2016-7201 | Array | Prototype, Type Confusion | Natalie Silvanovich [3] |
CVE-2016-7202 | Array.reverse | Overflow | Natalie Silvanovich [3] |
CVE-2016-7203 | Array.splice | Heap Overflow | Natalie Silvanovich [3] |
CVE-2016-7240 | eval | Proxy, Type Confusion | Natalie Silvanovich [3] |
CVE-2016-7241 | JSON.parse | Information Leak | Natalie Silvanovich [3] |
CVE-2016-7286 | SIMD.toLocaleString | Uninitialized Memory | Natalie Silvanovich [3] |
CVE-2016-7287 | Intl | Initialization, Type Confusion | Natalie Silvanovich [3] |
CVE-2016-7288 | TypedArray.sort | Side Effect, Buffer Neutering | Natalie Silvanovich [3] |
CVE-2017-0015 | Spread Operator | Side Effect, Uninitialized Memory | Qixun Zhao [4] lokihart Simon Zuckerbraun |
CVE-2017-0071 | Optimization | Array, Type Confusion | lokihardt [3] |
CVE-2017-0134 | Array.concat | Side Effect, Type Confusion | Jordan Rabet |
CVE-2017-0141 | Array.reverse | Side Effect | Semmle Inc |
CVE-2017-8548 | Optimization | Array | lokihardt [3] |
CVE-2017-8601 | Optimization | Array | lokihardt [3] |
CVE-2017-8634 | Array.concat | Side Effect | Hao Lian [5] HyungSeok Han [6] |
CVE-2017-8636 | Compiler | Integer Overflow | lokihardt [3] |
CVE-2017-8640 | arguments, | Compiler, Uninitialize Memory | lokihardt [3] |
CVE-2017-8645 | Compiler | asm.js | lokihardt [3] |
CVE-2017-8646 | Compiler | asm.js | lokihardt [3] |
CVE-2017-8656 | try | Uninitialized Memory | lokihardt [3] |
CVE-2017-8657 | Compiler | asm.js | lokihardt [3] |
CVE-2017-8670 | arguments | Compiler, Uninitialize Memory | lokihardt [3] |
CVE-2017-8671 | Function.call | Integer Overflow | lokihardt [3] |
CVE-2017-8729 | Parser | Object | lokihardt [3] |
CVE-2017-8740 | Parser | Scope | lokihardt [3] |
CVE-2017-8751 | Object.setPrototypeOf | Memory corruption | lokihardt [3] |
CVE-2017-8755 | Parser | asm.js | lokihardt [3] |
CVE-2017-11764 | Parser | eval | lokihardt [3] |
CVE-2017-11799 | Compiler | JIT | lokihardt [3] |
CVE-2017-11802 | Compiler | String.replace, Type Confusion | lokihardt [3] |
CVE-2017-11809 | Compiler | Recursive function, Uninitialized Memory | lokihardt [3] |
CVE-2017-11811 | Compiler | Type confusion | lokihardt [3] |
CVE-2017-11839 | Compiler | JIT | lokihardt [3] |
CVE-2017-11840 | Compiler | JIT | lokihardt [3] |
CVE-2017-11841 | Compiler | JIT | lokihardt [3] |
CVE-2017-11861 | Compiler | Integer Overflow | lokihardt [3] |
CVE-2017-11870 | Compiler | JIT | lokihardt [3] |
CVE-2017-11873 | Compiler | JIT | lokihardt [3] |
JavaScriptCore
CVE Number | Feature | Keywords | Credit |
---|---|---|---|
CVE-2016-1857 | Array.join | Side Effect, Use After Free | Liang Chen, Zhen Feng, wushi [2] Jeonghoon Shin |
CVE-2016-4622 | Array.slice | Side Effect, OOB | Samuel Groß |
CVE-2016-4734 | TypedArray.copyWithin TypedArray.fill |
Side Effect, Buffer Neutering | Natalie Silvanovich [3] |
CVE-2017-2446 | Funciton.caller | Type Confusion | Natalie Silvanovich [3] |
CVE-2017-2447 | Function.bind | OOB | Natalie Silvanovich [3] |
CVE-2017-2464 | Array.concat | Integer Overflow | Natalie Silvanovich [3] |
CVE-2017-2491 | String.replace | RegExp, Use After Free | Samuel Groß, and Niklas Baumstark |
CVE-2017-2521 | Array.length | OOB | lokihardt [3] |
CVE-2017-2531 | OOB | lokihardt [3] | |
CVE-2017-2536 | Spread Operator | Array, Integer Overflow | Samuel Groß, and Niklas Baumstark |
CVE-2017-2547 | Optimization | parseInt, Compiler, OOB | lokihardt [3] |
CVE-2017-6980 | Array.splice | Uninitialized Memory | lokihardt [3] |
CVE-2017-6984 | Intl.getCanonicalLocales | Heap Overflow | lokihardt [3] |
CVE-2017-7056 | arguments | Uninitialized Memory | lokihardt [3] |
CVE-2017-7061 | Compiler | for-in, Type Confusion | lokihardt [3] |
CVE-2017-7092 | String.link | Heap Overflow | Samuel Gro and Niklas Baumstark Qixun Zhao [5] |
CVE-2017-7117 | Compiler | for-in, Type Confusion | lokihardt [3] |
SpiderMonkey
CVE Number | Feature | Keywords | Credit |
---|---|---|---|
CVE-2014-1513 | TypedArray.subarray | OOB, Buffer Neutering, Side Effect | Jüri Aedla |
JScript
CVE Number | Feature | Keywords | Credit |
---|---|---|---|
CVE-2017-11793 | JSON | Use After Free | ifratric [3] |
CVE-2017-11855 | Array.slice | Uninitialized Variable | ifratric [3] |
CVE-2017-11890 | RegExp | Heap overflow | ifratric [3] |
CVE-2017-11903 | Array.join | Use After Free | ifratric [3] |
CVE-2017-11906 | RegExp | OOB | ifratric [3] |
CVE-2017-11907 | Array.sort | Heap overflow | ifratric [3] |
[1] Qihoo 360
[2] Tencent KeenLab
[3] Google Project Zero
[4] Qihoo 360 Skyeye Labs
[5] Qihoo 360 Vulcan Team
[6] KAIST SoftSec
[7] Tencent Security Platform Department
[8] Naver Corporation
[9] Microsoft