### Vulnerability Key Information - **Vulnerability Type**: Type confusion - **Description**: A type confusion vulnerability exists in `ObjectBackedNativeHandler::Router`. When a content frame is detached, `handler_function_value` may be set to an arbitrary value, leading to unintended behavior during subsequent calls. - **Priority**: P1 (Highest priority) - **Severity**: S1 - **Status**: Fixed - **Reporter**: se...@gmail.com - **Platform**: Chromium platform, particularly extension components - **Related Code**: `object_backed_native_handler.cc` - **Reproduction Steps**: - UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36 - **Problem Code Snippet**: ```cpp v8::Local handler_function_value = data->Get(v8::String::NewFromUtf8(args.GetIsolate(), kHandlerFunction)); // See comment in header file for why we do this. if (handler_function_value.IsEmpty() || !handler_function_value->IsFunction()) { ScriptContext* script_context = ScriptContextSet::GetContextByV8Context( args.GetIsolate()->GetCurrentContext()); console::Error(script_context ? script_context->GetRenderFrame() : nullptr, "Extension view no longer exists"); return; } ``` - **Impact**: This vulnerability could allow extensions to insecurely access and invoke functions after a content frame is detached, posing potential security risks. - **Tags**: Security_Impact-Stable, CVE_description-submitted - **Additional Information**: - Issue Tracker: Chromium Issue Tracker - CVE description has been submitted for this vulnerability.