From /WebKit/Source/core/dom/ContainerNode.cpp:
`` void ContainerNode::parserInsertBefore(PassRefPtrWillBeRawPtr newChild, Node& nextChild) { (…) while (RefPtrWillBeRawPtr parent = newChild->parentNode()) parent->parserRemoveChild(*newChild);
if (document() != newChild->document())
document(). adoptNode(newChild. get(), ASSERT_NO_EXCEPTION);
{
EventDispatchForbiddenScope assertNoEventDispatch;
ScriptForbiddenScope forbidScript;
treeScope(). adoptIfNeeded(*newChild);
insertBeforeCommon(nextChild, *newChild);
newChild->updateAncestorConnectedSubframeCountforinsertion();
ChildListMutationScope(*this). childAdded(*newChild);
}
notifyNodeInserted(*newChild, ChildrenChangeSourceParser);
} ``
|parserRemoveChild| can run script, and it can remove |nextChild| from the DOM or move the node around. When this happens, the tree will be in an inconsistent state after the |insertBeforeCommon| call, allowing an attacker to bypass the frame restrictions.
Chrome 44.0.2403.130 (Stable)
Chrome 45.0.2454.26 (Beta)
Chrome 46.0.2471.2 (Dev)
Chromium 46.0.2480.0 (Release build compiled today)
Attachment: CVE-2015-6755