When serializing JavaScript objects for sending to another window using the postMessage method, the code in blink does not handle Symbol objects correctly and attempts to serialize this kind of object as a regular object, which results in a bad cast. An attacker that can trigger this issue may be able to execute arbitrary code. Chrome version 38 is affected.
62430de9384e1fc1e44dd85ff62388f8415cb6ba8958ab0623f192a275046d1c