Caja Security Advisory 2017-11-14

[Kevin Reid]

## Background

Browsers have recently added new language features which allow executing code from a string:

* the "import" expression, and

* async functions and async generators (rather, the corresponding constructors of such functions).

SES, being unaware of these features, could not prevent them from being used to execute arbitrary code.

## Impact and Advice

This is a complete breach of the Caja sandbox. All users should immediately upgrade to Caja [v6012](https://github.com/google/caja/releases/tag/v6012) or later.

In order to prevent future vulnerabilities of this form, we have switched to having SES and Caja always parse and rewrite the input JS, to guarantee that the input is within the correctly-understood subset of the language. This unfortunately means that source position information in exceptions will not be useful. We are looking into solutions for this problem.