We should indeed probably use RefPtr here. But I wonder there's a real world way to actually call SendOpen multiple times without modifying code, though. I see guards to prevent that: * https://searchfox.org/mozilla-central/rev/85269d4444c2553e7f4c669fe4de72d64f4fe438/dom/html/HTMLInputElement.cpp#771-774 * https://searchfox.org/mozilla-central/rev/85269d4444c2553e7f4c669fe4de72d64f4fe438/dom/html/HTMLInputElement.cpp#724-727 And also the transient user activation consumption that the report disabled: * https://searchfox.org/mozilla-central/rev/85269d4444c2553e7f4c669fe4de72d64f4fe438/dom/html/HTMLInputElement.cpp#679 Combined, I doubt this is actually exploitable.
Bug 1846689 Comment 4 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
We should indeed probably use RefPtr here. But I wonder there's a real world way to actually call SendOpen multiple times without modifying code, though. I see guards to prevent that: * https://searchfox.org/mozilla-central/rev/85269d4444c2553e7f4c669fe4de72d64f4fe438/dom/html/HTMLInputElement.cpp#771-774 * https://searchfox.org/mozilla-central/rev/85269d4444c2553e7f4c669fe4de72d64f4fe438/dom/html/HTMLInputElement.cpp#724-727 And also the transient user activation consumption that the reporter disabled: * https://searchfox.org/mozilla-central/rev/85269d4444c2553e7f4c669fe4de72d64f4fe438/dom/html/HTMLInputElement.cpp#679 Combined, I doubt this is actually exploitable.
We should indeed probably use RefPtr here. But I wonder there's a real world way to actually call SendOpen multiple times without modifying code as comment #2 does, though. I see guards to prevent that: * https://searchfox.org/mozilla-central/rev/85269d4444c2553e7f4c669fe4de72d64f4fe438/dom/html/HTMLInputElement.cpp#771-774 * https://searchfox.org/mozilla-central/rev/85269d4444c2553e7f4c669fe4de72d64f4fe438/dom/html/HTMLInputElement.cpp#724-727 And also the transient user activation consumption that the reporter disabled: * https://searchfox.org/mozilla-central/rev/85269d4444c2553e7f4c669fe4de72d64f4fe438/dom/html/HTMLInputElement.cpp#679 Combined, I doubt this is actually exploitable.