0-click attack surface: When we browse the web, we are constantly exposed to potentially malicious JS code running in our browsers. This code leverages the embedded JS engine to process JS assets, making JS engines highly attractive targets for attackers.
Susceptibility to memory corruption: For the sake of performance, most JS engines are written in low-level native languages such as C/C++. Consequently, they are prone to memory corruption-related issues.
Exploit-friendly environment: JS Virtual Machines (VM) provide exploit writers with a great deal of flexibility. They can control memory layouts, attempt multiple attacks, and embed a full exploit chain within a single script or payload.
As a result, most major JS engines have adopted various hardening measures to raise the bar for a successful compromise. These measures range from process isolation, such as the Chrome renderer sandboxing, to custom VM heap hardening techniques like those implemented in Webkit or the more recent V8 Ubercage.
In my role at Meta (formerly known as Facebook), I have the opportunity to work on improving the security posture of one of the most widely used JS engines in the industry: Hermes. Hermes is primarily known for powering React Native applications, but it is also utilized in various other contexts, including scripted AR effects running on Instagram Reels, Messenger calls, and many other products.
I recently published an engaging walkthrough of a unique Hermes vulnerability discovered by an external security researcher. I discussed how it could have been exploited to execute arbitrary code within Hermes. You can read the full article here.