Google Chrome 67 / 68 / 69 Object.create Type Confusion

This Metasploit modules exploits a type confusion in Google Chrome’s JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the –no-sandbox option for the payload to work.

Leave a Reply