### Impact
_What kind of vulnerability is it? Who is impacted?_

In Hardened JavaScript, programs can `harden` objects to safely share objects with co-tenant programs without risk of these other programs tampering with their API surface. Hardening does not guarantee that objects are pure or immutable, so a hardened `Map`, for example is superficially tamper-proof, but any party holding a reference to the object can both read and write its contents. Based on this precedent, and because `TypedArray` instances cannot be frozen with `Object.isFrozen`, `harden` does not `freeze` `TypedArrays` and instead makes them non-extensible and makes all non-indexed properties non-writable and non-configurable. This is consistent with the treatment of `Map` because the indexed properties represent mutable content and non-indexed properties represent the API.

Due to a defect in `harden`, properties that have names that parse as numbers but are not the same as the canonical representation of those numbers, as in `”+0″` and `””` which are both equivalent to their canonical number `”0″`, remain writable after hardening.

Any program treating one of these properties as part of its API and relying on `harden` to prevent modifications would be vulnerable to an API pollution attack, affecting only instances shared by mutually suspicious parties.

Unlike a `Map`, a hardened `TypedArray` can only have numbers for content. Any program that is sharing hardened `TypedArrays` between co-tentant programs and relying on harden to only allow these programs to communicate exclusively by changing numbers within the bounds of the TypedArray, may inadvertently have arranged for a mechanism for a pair of third-parties to communicate arbitrary objects on these other properties.

### Patches
_Has the problem been patched? What versions should users upgrade to?_

SES version 0.16.0 patches this issue, causing `harden` to recognize properties with non-canonical numeric representations and ensuring that these properties are non-configurable.

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

Users should avoid sharing `TypedArrays` between co-tenant programs and instead create wrapper objects that produce a read-only view of the underlying data. We allow `harden` to succeed for `TypedArrays` because the treatment is in fact consistent with the behavior of collections like `Map`, but all collections shared between co-tentant programs should probably be attenuated to either read- or write-only facets and probably close over only part of the content of the collection. However, the motivation for allowing `TypedArrays` to be hardened in practice is to allow certain legacy modules to function under Hardened JavaScript with LavaMoat, since they export `TypedArrays`, even though they would ideally export read-only facets of these.

### References
_Are there any links users can visit to find out more?_

Not at this time.

### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])Read More