CVE-2023-29549
Description
Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Firefox <112, a call to `bind` could return the wrong realm, potentially breaking JavaScript sandboxes like SES.
Vulnerability
In Firefox, Firefox for Android, and Focus for Android versions prior to 112, the bind function could produce a function with an incorrect realm. This issue, tracked as bug 1823042, arises because the realm was not correctly set for constructor calls after binding, as noted in the Mozilla security advisory [1][2]. Affected products include Firefox <112, Firefox for Android <112, and Focus for Android <112.
Exploitation
An attacker can trigger the vulnerability by executing crafted JavaScript code that exploits the incorrect realm assignment. The bug report provides a specific sequence using this.newGlobal, Reflect.construct, and bind to induce an assertion failure, demonstrating that the realm mismatch occurs under certain call patterns [2]. No special privileges or user interaction beyond running the script is required; the code can be executed from any website or extension.
Impact
Successful exploitation could allow an attacker to escape JavaScript sandboxes implemented in JavaScript, such as the Secure ECMAScript (SES) framework. The incorrect realm may grant the attacker access to a different compartment's privileges, potentially leading to unauthorized data access or arbitrary code execution within the browser's security context. The Mozilla advisory rated the impact as high [1].
Mitigation
The vulnerability is fixed in Firefox 112, Firefox for Android 112, and Focus for Android 112, which were released on April 11, 2023 [1]. Users should upgrade to these versions or later. No workaround is available; updating the browser is the only mitigation.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
<112+ 1 more
- (no CPE)range: <112
- (no CPE)range: unspecified
- osv-coords2 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 1 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 112.0.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Incorrect realm handling in the `bind` function implementation for constructor calls causes a realm mismatch."
Attack vector
An attacker can craft JavaScript that calls `bind` on a function and then uses `Reflect.construct` with the bound function, causing the realm to be set incorrectly during constructor calls. The provided PoC uses `Reflect.construct(f4.bind(v1, v1), Reflect)` inside a chain of `Symbol.search` and `Symbol.toPrimitive` overrides to trigger the assertion [ref_id=1]. This could allow code to execute in a different realm than intended, potentially bypassing JavaScript-implemented sandboxes such as SES [ref_id=1].
Affected code
The bug is in the JavaScript engine's `bind` implementation. The assertion failure occurs at `jit/VMFunctions.cpp:818` (`cx->realm() == fun->realm()`), indicating that after a `bind` call the realm of the execution context does not match the realm of the bound function. The regression was introduced by commit 4969ce47f2d294700b97907f9a890cac6d57f5d8 (bug 1819558) [ref_id=1].
What the fix does
The fix adjusts the realm-switching logic in the `bind` implementation: for non-constructing calls it is simpler and faster to switch after pushing arguments and loading the bound function's target, but for constructor calls the realm switch needs to happen earlier [ref_id=1]. This ensures that when a bound function is used as a constructor, the correct realm is active before allocation, preventing the realm mismatch that caused the assertion failure [ref_id=1].
Preconditions
- inputThe attacker must be able to execute arbitrary JavaScript in the target browser context.
- inputThe vulnerability requires the use of Reflect.construct with a bound function inside custom Symbol.search and Symbol.toPrimitive handlers.
Reproduction
Run the following script in a Firefox JS shell (commit 585fe519f14ca8f241370573a902fc6d53cf8ac6) with `--fuzzing-safe`:
``` const v1 = this.newGlobal(this, this, this, this, this); with (v1) { const v3 = ("p").__proto__; function f4(a5) { Reflect.construct(f4.bind(v1, v1), Reflect); return v3; } v3[Symbol.search] = f4; function f11(a12, a13) { a12.search(v3); return this; } v3[Symbol.toPrimitive] = f11; v3.trimEnd(); } ```
This triggers an assertion failure at `jit/VMFunctions.cpp:818` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.