## Background
Browsers have recently added new language features which allow executing code from a string:
* the "import" expression, and
* async functions and async generators (rather, the corresponding constructors of such functions).
SES, being unaware of these features, could not prevent them from being used to execute arbitrary code.
## Impact and Advice
In order to prevent future vulnerabilities of this form, we have switched to having SES and Caja always parse and rewrite the input JS, to guarantee that the input is within the correctly-understood subset of the language. This unfortunately means that source position information in exceptions will not be useful. We are looking into solutions for this problem.