WebKit: UXSS via ContainerNode::parserRemoveChild (2) Here's a snippet of ContainerNode::parserRemoveChild. void ContainerNode::parserRemoveChild(Node& oldChild) { disconnectSubframesIfNeeded(*this, DescendantsOnly); <<---- (a) ... document().notifyRemovePendingSheetIfNeeded(); <<---- (b) } subframes are detached at (a). But In |notifyRemovePendingSheetIfNeeded| at (b), which fires a focus event, we can attach subframes again. PoC:
This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt