CVEs-PoC/2018/CVE-2018-12387.md

### [CVE-2018-12387](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12387)
![](https://img.shields.io/static/v1?label=Product&message=Firefox%20ESR&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Firefox&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%2060.2.2%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3C%2062.0.3%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ZihanYe/web-browser-vulnerabilities
- https://github.com/lnick2023/nicenice
- https://github.com/m00zh33/sploits
- https://github.com/niklasb/sploits
- https://github.com/otravidaahora2t/js-vuln-db
- https://github.com/qazbnm456/awesome-cve-poc
- https://github.com/tunz/js-vuln-db
- https://github.com/xbl3/awesome-cve-poc_qazbnm456