Reported by mailto:[email protected], Apr 21 2016
When a node is being adopted, the tree scope adopter calls |didMoveToNewDocument| on each rescoped node in the tree. The HTMLImageElement implementation of |didMoveToNewDocument| calls the corresponding method on the related loader, which clears and stops observing the associated image resource. In special circumstances, when the adopted image is the last thing being loaded in the old document and the resource has been evicted from the memory cache, this may end up firing timers and events. This allows an attacker to violate a lot of invariants and corrupt the DOM tree.
Chrome 50.0.2661.87 (Stable) Chrome 51.0.2704.22 (Beta) Chrome 51.0.2704.19 (Dev) Chromium 52.0.2715.0 (Release build compiled today)
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=605766