Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/tunz/js-vuln-db
A collection of JavaScript engine CVEs with PoCs
https://github.com/tunz/js-vuln-db
cve javascript vulnerability
Last synced: 5 days ago
JSON representation
A collection of JavaScript engine CVEs with PoCs
- Host: GitHub
- URL: https://github.com/tunz/js-vuln-db
- Owner: tunz
- Created: 2016-08-06T01:02:59.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2019-09-03T22:42:41.000Z (over 5 years ago)
- Last Synced: 2024-11-21T06:11:24.293Z (21 days ago)
- Topics: cve, javascript, vulnerability
- Homepage:
- Size: 197 KB
- Stars: 2,291
- Watchers: 185
- Forks: 405
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- security-study-tutorial - A collection of JavaScript engine CVEs with PoCs
- awesome-rainmana - tunz/js-vuln-db - A collection of JavaScript engine CVEs with PoCs (Others)
- awesome-security-collection - **1748**星
- awesome-hacking-lists - tunz/js-vuln-db - A collection of JavaScript engine CVEs with PoCs (Others)
README
# Case Study of JavaScript Engine Vulnerabilities
## V8
CVE Number | Feature | Keywords | Credit
---------- | ------- | -------- | ------
[CVE-2013-6632](./v8/CVE-2013-6632.md) | TypedArray | Integer Overflow, OOB | _Pinkie Pie_
[CVE-2014-1705](./v8/CVE-2014-1705.md) | TypedArray | Invalid Array Length, OOB | _geohot_
[CVE-2014-3176](./v8/CVE-2014-3176.md) | Array.concat | Side Effect, OOB | _lokihardt_
[CVE-2014-7927](./v8/CVE-2014-7927.md) | Optimization | asm.js, OOB | _Christian Holler_
[CVE-2014-7928](./v8/CVE-2014-7928.md) | Optimization | Array | _Christian Holler_
[CVE-2015-1233](./v8/CVE-2015-1233.md) | Optimization | Array, OOB | ?
[CVE-2015-1242](./v8/CVE-2015-1242.md) | Optimization | Array, Type Confusion | [email protected]_
[CVE-2015-6764](./v8/CVE-2015-6764.md) | JSON.stringify | Side Effect, OOB, | _Guang Gong [[1]](#qihoo360)_
[CVE-2015-6771](./v8/CVE-2015-6771.md) | TypedArray.map | Prototype, OOB | ?
[CVE-2015-8584](./v8/CVE-2015-8548.md) | JSON.stringify | Side Effect, OOB | ?
[CVE-2016-1646](./v8/CVE-2016-1646.md) | Array.concat | Side Effect, OOB | _Wen Xu [[2]](#keenlab)_
[CVE-2016-1653](./v8/CVE-2016-1653.md) | Optimization | asm.js, TypedArray, OOB | _Choongwoo Han [[6]](#kaistsoftsec)_
[CVE-2016-1665](./v8/CVE-2016-1665.md) | Optimization | asm.js | _HyungSeok Han [[6]](#kaistsoftsec)_
[CVE-2016-1669](./v8/CVE-2016-1669.md) | RegExp | Heap Overflow, Integer Overflow | _Choongwoo Han [[6]](#kaistsoftsec)_
[CVE-2016-1677](./v8/CVE-2016-1677.md) | decodeURI | Side Effect, Information Leak | _Guang Gong [[1]](#qihoo360)_
[CVE-2016-1688](./v8/CVE-2016-1688.md) | RegExp | | _Max Korenko_
[CVE-2016-5129](./v8/CVE-2016-5129.md) | Array | Side Effect | _Jeonghoon Shin_
[CVE-2016-5172](./v8/CVE-2016-5172.md) | Parser | Scope, eval | _Choongwoo Han [[6]](#kaistsoftsec)_
[CVE-2016-5198](./v8/CVE-2016-5198.md) | Optimization | parseInt, Compiler, OOB | _Tencent Keen Security Lab_
[CVE-2016-5200](./v8/CVE-2016-5200.md) | Optimization | asm.js TypedArray, OOB | _Choongwoo Han [[6]](#kaistsoftsec)_
[CVE-2016-9651](./v8/CVE-2016-9651.md) | Object.assign | Logic, Property | _Guang Gong [[1]](#qihoo360)_
[CVE-2017-5030](./v8/CVE-2017-5030.md) | Array.concat | Side Effect, OOB | _Brendon Tiszka_
[CVE-2017-5040](./v8/CVE-2017-5040.md) | Array.indexOf | TypedArray, Side Effect, Detach Buffer | _Choongwoo Han_
[CVE-2017-5053](./v8/CVE-2017-5053.md) | Array.indexOf | Side Effect | _Team Sniper [[2]](#keenlab)_
[CVE-2017-5070](./v8/CVE-2017-5070.md) | Optimization | Array, Type Confusion | _Zhao Qixun [[5]](#qihoo360vulcan)_
[CVE-2017-5071](./v8/CVE-2017-5071.md) | Compiler | OOB | _Choongwoo Han_
[CVE-2017-5088](./v8/CVE-2017-5088.md) | wasm | Information Leak | _Xiling Gong [[7]](#tencentplatform)_
[CVE-2017-5098](./v8/CVE-2017-5098.md) | Parser | Use After Free | _Jihoon Kim [[6]](#kaistsoftsec)_
[CVE-2017-5115](./v8/CVE-2017-5115.md) | Compiler | OOB | Marco Giovannini
[CVE-2017-5116](./v8/CVE-2017-5116.md) | wasm | Race Condition | _Guang Gong [[1]](#qihoo360)_
[CVE-2017-5121](./v8/CVE-2017-5121.md) | Compiler | Uninitialized Memory | _Jordan Rabet [[9]](#microsoft)_
[CVE-2017-5122](./v8/CVE-2017-5122.md) | wasm | OOB | _Choongwoo Han [[8]](#naver)_
[CVE-2017-15399](./v8/CVE-2017-15399.md) | wasm | Use After Free | _Zhao Qixun [[5]](#qihoo360vulcan)_
[CVE-2017-15401](./v8/CVE-2017-15401.md) | wasm | Side Effect, OOB | ?
[CVE-2018-6056](./v8/CVE-2018-6056.md) | Object | OOB | _lokihardt [[3]](#projectzero)_
[CVE-2018-6061](./v8/CVE-2018-6061.md) | wasm | Race Condition | _Guang Gong [[1]](#qihoo360)_
[CVE-2018-6064](./v8/CVE-2018-6064.md) | Object.entries | Side Effect, OOB | _lokihardt [[3]](#projectzero)_
[CVE-2018-6065](./v8/CVE-2018-6065.md) | Object | Integer Overflow | _Mark Brand [[3]](#projectzero)_
[CVE-2018-6092](./v8/CVE-2018-6092.md) | wasm | Integer Overflow | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2018-6106](./v8/CVE-2018-6106.md) | async generator | Side Effect, Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-6122](./v8/CVE-2018-6122.md) | wasm | async, Side Effect, Type Confusion | ?
[CVE-2018-6136](./v8/CVE-2018-6136.md) | RegExp | Side Effect, Type Confusion | _Peter Wong_
[CVE-2018-6142](./v8/CVE-2018-6142.md) | Map | Information Leak, OOB | _Choongwoo Han [[8]](#naver)_
[CVE-2018-6143](./v8/CVE-2018-6143.md) | RegExp | Side Effect, OOB | _Guang Gong [[1]](#qihoo360)_
[CVE-2018-6149](./v8/CVE-2018-6149.md) | String.split | Allocator, OOB | _Yu Zhou and Jundong Xie [[11]](#afly)_
[CVE-2018-16065](./v8/CVE-2018-16065.md) | TypedArray.of | Side Effect, OOB, Detach Buffer | _Brendon Tiszka_
[CVE-2018-17463](./v8/CVE-2018-17463.md) | Compiler | Object.create | _Samuel Gross_
[CVE-2019-5755](./v8/CVE-2019-5755.md) | Compiler | OOB | _Jay Bosamiya_
[CVE-2019-5782](./v8/CVE-2019-5782.md) | Compiler | OOB | _Zhao Qixun [[5]](#qihoo360vulcan)_
[CVE-2019-5784](./v8/CVE-2019-5784.md) | Optimization | Allocator | _lupin_## ChakraCore
CVE Number | Feature | Keywords | Credit
---------- | ------- | -------- | ------
[CVE-2016-3386](./chakra/CVE-2016-3386.md) | Spread Operator | Array, Proxy, Stack Overflow | _Richard Zhu_
[CVE-2016-7189](./chakra/CVE-2016-7189.md) | Array.join | Information Leak | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7190](./chakra/CVE-2016-7190.md) | Array.map | Heap Overflow | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7194](./chakra/CVE-2016-7194.md) | Function.apply | Information Leak | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7200](./chakra/CVE-2016-7200.md) | Array.filter | Heap Corruption | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7201](./chakra/CVE-2016-7201.md) | Array | Prototype, Type Confusion | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7202](./chakra/CVE-2016-7202.md) | Array.reverse | Overflow | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7203](./chakra/CVE-2016-7203.md) | Array.splice | Heap Overflow | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7240](./chakra/CVE-2016-7240.md) | eval | Proxy, Type Confusion | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7241](./chakra/CVE-2016-7241.md) | JSON.parse | Information Leak | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7286](./chakra/CVE-2016-7286.md) | SIMD.toLocaleString | Uninitialized Memory | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7287](./chakra/CVE-2016-7287.md) | Intl | Initialization, Type Confusion | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2016-7288](./chakra/CVE-2016-7288.md) | TypedArray.sort | Side Effect, Detach Buffer | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2017-0015](./chakra/CVE-2017-0015.md) | Spread Operator | Side Effect, Uninitialized Memory | _Qixun Zhao [[4]](#qihoo360skyeye)_
_lokihart_
_Simon Zuckerbraun_
[CVE-2017-0071](./chakra/CVE-2017-0071.md) | Optimization | Array, Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2017-0134](./chakra/CVE-2017-0134.md) | Array.concat | Side Effect, Type Confusion | _Jordan Rabet_
[CVE-2017-0141](./chakra/CVE-2017-0141.md) | Array.reverse | Side Effect | _Semmle Inc_
[CVE-2017-0234](./chakra/CVE-2017-0234.md) | ArrayBuffer | OOB | _Yuange [[10]](#zhanlulab)_
[CVE-2017-0236](./chakra/CVE-2017-0236.md) | ArrayBuffer | UAF | _Tencent Security Lance Team_
_Yuki Chen [[5]](#qihoo360vulcan)_
[CVE-2017-8548](./chakra/CVE-2017-8548.md) | Optimization | Array | _lokihardt [[3]](#projectzero)_
[CVE-2017-8601](./chakra/CVE-2017-8601.md) | Optimization | Array | _lokihardt [[3]](#projectzero)_
[CVE-2017-8634](./chakra/CVE-2017-8634.md) | Array.concat | Side Effect | _Hao Lian [[5]](#qihoo360vulcan)_
_HyungSeok Han [[6]](#kaistsoftsec)_
[CVE-2017-8636](./chakra/CVE-2017-8636.md) | Compiler | Integer Overflow | _lokihardt [[3]](#projectzero)_
[CVE-2017-8640](./chakra/CVE-2017-8640.md) | arguments, | Compiler, Uninitialize Memory | _lokihardt [[3]](#projectzero)_
[CVE-2017-8645](./chakra/CVE-2017-8645.md) | Compiler | asm.js | _lokihardt [[3]](#projectzero)_
[CVE-2017-8646](./chakra/CVE-2017-8646.md) | Compiler | asm.js | _lokihardt [[3]](#projectzero)_
[CVE-2017-8656](./chakra/CVE-2017-8656.md) | try | Uninitialized Memory | _lokihardt [[3]](#projectzero)_
[CVE-2017-8657](./chakra/CVE-2017-8657.md) | Compiler | asm.js | _lokihardt [[3]](#projectzero)_
[CVE-2017-8670](./chakra/CVE-2017-8670.md) | arguments | Compiler, Uninitialize Memory | _lokihardt [[3]](#projectzero)_
[CVE-2017-8671](./chakra/CVE-2017-8671.md) | Function.call | Integer Overflow | _lokihardt [[3]](#projectzero)_
[CVE-2017-8729](./chakra/CVE-2017-8729.md) | Parser | Object | _lokihardt [[3]](#projectzero)_
[CVE-2017-8740](./chakra/CVE-2017-8740.md) | Parser | Scope | _lokihardt [[3]](#projectzero)_
[CVE-2017-8755](./chakra/CVE-2017-8755.md) | Parser | asm.js | _lokihardt [[3]](#projectzero)_
[CVE-2017-11764](./chakra/CVE-2017-11764.md) | Parser | eval | _lokihardt [[3]](#projectzero)_
[CVE-2017-11799](./chakra/CVE-2017-11799.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2017-11802](./chakra/CVE-2017-11802.md) | Compiler | String.replace, Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2017-11809](./chakra/CVE-2017-11809.md) | Compiler | Uninitialized Memory | _lokihardt [[3]](#projectzero)_
[CVE-2017-11811](./chakra/CVE-2017-11811.md) | Compiler | Type confusion | _lokihardt [[3]](#projectzero)_
[CVE-2017-11839](./chakra/CVE-2017-11839.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2017-11840](./chakra/CVE-2017-11840.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2017-11841](./chakra/CVE-2017-11841.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2017-11861](./chakra/CVE-2017-11861.md) | Compiler | Integer Overflow | _lokihardt [[3]](#projectzero)_
[CVE-2017-11870](./chakra/CVE-2017-11870.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2017-11873](./chakra/CVE-2017-11873.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2017-11893](./chakra/CVE-2017-11893.md) | Compiler | JIT, Math | _lokihardt [[3]](#projectzero)_
[CVE-2017-11909](./chakra/CVE-2017-11909.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2017-11911](./chakra/CVE-2017-11911.md) | Compiler | asm.js, OOB | _lokihardt [[3]](#projectzero)_
[CVE-2017-11914](./chakra/CVE-2017-11914.md) | Compiler | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2017-11918](./chakra/CVE-2017-11918.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2018-0758](./chakra/CVE-2018-0758.md) | String | Integer Overflow | _lokihardt [[3]](#projectzero)_
[CVE-2018-0767](./chakra/CVE-2018-0767.md) | Array | OOB | _lokihardt [[3]](#projectzero)_
[CVE-2018-0769](./chakra/CVE-2018-0769.md) | Compiler | JIT, OOB | _lokihardt [[3]](#projectzero)_
[CVE-2018-0770](./chakra/CVE-2018-0770.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2018-0774](./chakra/CVE-2018-0774.md) | Compiler | Incorrect Scope | _lokihardt [[3]](#projectzero)_
[CVE-2018-0775](./chakra/CVE-2018-0775.md) | Compiler | Incorrect Scope | _lokihardt [[3]](#projectzero)_
[CVE-2018-0776](./chakra/CVE-2018-0776.md) | Compiler | JIT, Bailout | _lokihardt [[3]](#projectzero)_
[CVE-2018-0777](./chakra/CVE-2018-0777.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2018-0780](./chakra/CVE-2018-0780.md) | Compiler | asm.js, OOB | _lokihardt [[3]](#projectzero)_
[CVE-2018-0834](./chakra/CVE-2018-0834.md) | Compiler | Array, Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-0835](./chakra/CVE-2018-0835.md) | Compiler | Array.reverse, Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-0837](./chakra/CVE-2018-0837.md) | Compiler | JIT, Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-0838](./chakra/CVE-2018-0838.md) | Compiler | Array, Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-0840](./chakra/CVE-2018-0840.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2018-0860](./chakra/CVE-2018-0860.md) | Compiler | JIT, Information Leak | _lokihardt [[3]](#projectzero)_
[CVE-2018-0933](./chakra/CVE-2018-0933.md) | Compiler | JIT, Bailout | _lokihardt [[3]](#projectzero)_
[CVE-2018-0934](./chakra/CVE-2018-0934.md) | Compiler | JIT, Bailout | _lokihardt [[3]](#projectzero)_
[CVE-2018-0953](./chakra/CVE-2018-0953.md) | Compiler | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-0980](./chakra/CVE-2018-0980.md) | Compiler | Bound Check Elimination | _lokihardt [[3]](#projectzero)_
[CVE-2018-8139](./chakra/CVE-2018-8139.md) | Function | OOB | _lokihardt [[3]](#projectzero)_
[CVE-2018-8145](./chakra/CVE-2018-8145.md) | JIT | OOB | _lokihardt [[3]](#projectzero)_
[CVE-2018-8229](./chakra/CVE-2018-8229.md) | JIT | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-8279](./chakra/CVE-2018-8279.md) | Parser | Parameter Scope | _lokihardt [[3]](#projectzero)_
[CVE-2018-8288](./chakra/CVE-2018-8288.md) | Compiler | JIT | _lokihardt [[3]](#projectzero)_
[CVE-2018-8291](./chakra/CVE-2018-8291.md) | Property | Type confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-8298](./chakra/CVE-2018-8298.md) | Intl | TimeFormat | _lokihardt [[3]](#projectzero)_
[CVE-2018-8355](./chakra/CVE-2018-8355.md) | JIT | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-8384](./chakra/CVE-2018-8384.md) | PathTypeHandler | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-8466](./chakra/CVE-2018-8466.md) | JIT | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-8467](./chakra/CVE-2018-8467.md) | JIT | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-8617](./chakra/CVE-2018-8617.md) | Optimization | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2019-0539](./chakra/CVE-2019-0539.md) | JIT | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2019-0567](./chakra/CVE-2019-0567.md) | JIT | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2019-0568](./chakra/CVE-2019-0568.md) | JIT | Use After Free | _lokihardt [[3]](#projectzero)_## JavaScriptCore
CVE Number | Feature | Keywords | Credit
---------- | ------- | -------- | ------
[CVE-2016-1857](./jsc/CVE-2016-1857.md) | Array.join | Side Effect, Use After Free | _Liang Chen_, _Zhen Feng_, _wushi_ _[[2]](#keenlab)_
_Jeonghoon Shin_
[CVE-2016-4622](./jsc/CVE-2016-4622.md) | Array.slice | Side Effect, OOB | _Samuel Groß_
[CVE-2016-4734](./jsc/CVE-2016-4734.md) | TypedArray.copyWithin
TypedArray.fill | Side Effect, Detach Buffer | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2017-2446](./jsc/CVE-2017-2446.md) | Funciton.caller | Type Confusion | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2017-2447](./jsc/CVE-2017-2447.md) | Function.bind | OOB | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2017-2464](./jsc/CVE-2017-2464.md) | Array.concat | Integer Overflow | _Natalie Silvanovich [[3]](#projectzero)_
[CVE-2017-2491](./jsc/CVE-2017-2491.md) | String.replace | RegExp, Use After Free | _Samuel Groß_, and _Niklas Baumstark_
[CVE-2017-2521](./jsc/CVE-2017-2521.md) | Array.length | OOB | _lokihardt [[3]](#projectzero)_
[CVE-2017-2531](./jsc/CVE-2017-2531.md) | | OOB | _lokihardt [[3]](#projectzero)_
[CVE-2017-2536](./jsc/CVE-2017-2536.md) | Spread Operator | Array, Integer Overflow | _Samuel Groß_, and _Niklas Baumstark_
[CVE-2017-2547](./jsc/CVE-2017-2547.md) | Optimization | parseInt, Compiler, OOB | _lokihardt [[3]](#projectzero)_
[CVE-2017-6980](./jsc/CVE-2017-6980.md) | Array.splice | Uninitialized Memory | _lokihardt [[3]](#projectzero)_
[CVE-2017-6984](./jsc/CVE-2017-6984.md) | Intl.getCanonicalLocales | Heap Overflow | _lokihardt [[3]](#projectzero)_
[CVE-2017-7056](./jsc/CVE-2017-7056.md) | arguments | Uninitialized Memory | _lokihardt [[3]](#projectzero)_
[CVE-2017-7061](./jsc/CVE-2017-7061.md) | Compiler | for-in, Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2017-7092](./jsc/CVE-2017-7092.md) | String.link | Heap Overflow | _Samuel Groß and Niklas Baumstark_
_Qixun Zhao [[5]](#qihoo360vulcan)_
[CVE-2017-7117](./jsc/CVE-2017-7117.md) | Compiler | for-in, Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-4233](./jsc/CVE-2018-4233.md) | Compiler | Proxy, Array, Type Confusion | _Samuel Groß_
[CVE-2018-4382](./jsc/CVE-2018-4382.md) | Compiler | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-4386](./jsc/CVE-2018-4386.md) | Compiler | Incorrect Optimization | _lokihardt [[3]](#projectzero)_
[CVE-2018-4416](./jsc/CVE-2018-4416.md) | Compiler | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2018-4438](./jsc/CVE-2018-4438.md) | Compiler | Prototype Chains | _lokihardt [[3]](#projectzero)_
[CVE-2018-4441](./jsc/CVE-2018-4441.md) | JSArray | OOB | _lokihardt [[3]](#projectzero)_
[CVE-2018-4442](./jsc/CVE-2018-4442.md) | JIT | Use After Free | _lokihardt [[3]](#projectzero)_
[CVE-2018-4443](./jsc/CVE-2018-4443.md) | AbstractValue | Use After Free | _lokihardt [[3]](#projectzero)_
[CVE-2019-6215](./jsc/CVE-2019-6215.md) | Optimization | Type Confusion | _lokihardt [[3]](#projectzero)_
[CVE-2019-8506](./jsc/CVE-2019-8506.md) | RegExp | Type Confusion | _Samuel Groß [[3]](#projectzero)_
[CVE-2019-8518](./jsc/CVE-2019-8518.md) | JIT | OOB | _Samuel Groß [[3]](#projectzero)_
[CVE-2019-8558](./jsc/CVE-2019-8558.md) | CodeBlock | UAF | _Samuel Groß [[3]](#projectzero)_## SpiderMonkey
CVE Number | Feature | Keywords | Credit
---------- | ------- | -------- | ------
[CVE-2014-1513](./spidermonkey/CVE-2014-1513.md) | TypedArray.subarray | OOB, Detach Buffer, Side Effect | _Jüri Aedla_
[CVE-2018-12387](./spidermonkey/CVE-2018-12387.md) | Array.prototype.push | Memory Disclosure | _Bruno Keith and Niklas Baumstark_
[CVE-2019-9791](./spidermonkey/CVE-2019-9791.md) | OSR, JIT | Type Confusions | _Samuel Groß [[3]](#projectzero)_
[CVE-2019-9813](./spidermonkey/CVE-2019-9813.md) | Prototype, JIT | Type Confusions | _Samuel Groß [[3]](#projectzero)_## JScript
CVE Number | Feature | Keywords | Credit
---------- | ------- | -------- | ------
[CVE-2017-11793](./jscript/CVE-2017-11793.md) | JSON | Use After Free | _ifratric [[3]](#projectzero)_
[CVE-2017-11855](./jscript/CVE-2017-11855.md) | Array.slice | Uninitialized Variable | _ifratric [[3]](#projectzero)_
[CVE-2017-11890](./jscript/CVE-2017-11890.md) | RegExp | Heap overflow | _ifratric [[3]](#projectzero)_
[CVE-2017-11903](./jscript/CVE-2017-11903.md) | Array.join | Use After Free | _ifratric [[3]](#projectzero)_
[CVE-2017-11906](./jscript/CVE-2017-11906.md) | RegExp | OOB | _ifratric [[3]](#projectzero)_
[CVE-2017-11907](./jscript/CVE-2017-11907.md) | Array.sort | Heap overflow | _ifratric [[3]](#projectzero)_
[CVE-2018-0891](./jscript/CVE-2018-0891.md) | RegExp.lastMatch | Memory Disclosure | _ifratric [[3]](#projectzero)_
[CVE-2018-0935](./jscript/CVE-2018-0935.md) | Array | Use After Free | _ifratric [[3]](#projectzero)_
[CVE-2018-8353](./jscript/CVE-2018-8353.md) | RegExp | Use After Free | _ifratric [[3]](#projectzero)_
[CVE-2018-8631](./jscript/CVE-2018-8631.md) | Array | OOB | _ifratric [[3]](#projectzero)_
[CVE-2018-8389](./jscript/CVE-2018-8389.md) | ActiveXObject | Use After Free | _Sudhakar Verma and Ashfaq Ansari[[12]](#srishti)_
[CVE-2019-0930](./jscript/CVE-2019-0930.md) | getVarDate | Use After Free | _Krishnakant Patil and Siddhant Badhe[[12]](#srishti)_---
[1] Qihoo 360
[2] Tencent KeenLab
[3] Google Project Zero
[4] Qihoo 360 Skyeye Labs
[5] Qihoo 360 Vulcan Team
[6] KAIST SoftSec
[7] Tencent Security Platform Department
[8] Naver Corporation
[9] Microsoft
[10] Tencent Zhanlu Lab
[11] Ant-financial Light-Year Security Lab
[12] Project Srishti