Proof of concept exploit for Microsoft Edge bugs that allow for remote code execution.
f2d4f1a9012f8e20eb5fd805d9286e3ffc7dd340986f32bc6918556e5807cb8e
There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array.
b151790aef488a9024d8165bd0cf284b8a3f10045d03d24b0017ec0d7a8eab30