Supermium

[Mathwiz]

3 hours ago, Karla Sleutel said:

Isn't the minimum requirement chromium 138?

Version 138 is required for the fix; the bug goes back earlier though:

Quote

Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page.

7 hours ago, EliraFriesnan said:

Initial release    September 2, 2008

Good catch. Google is being tight-lipped on exactly when this vulnerability crept in. I doubt it goes all the way back to 2008, though. Today's V8 looks nothing like the original. I believe (and should have said) versions prior to the V8 optimizer are not vulnerable.

I suspect 360EE (and Kafan MiniBrowser) aren't vulnerable because the option to turn off the optimizer isn't there (presumably because there's nothing to turn off), but I can't be sure with the limited info we have.

[Karla Sleutel]

16 hours ago, Mathwiz said:

Version 138 is required for the fix; the bug goes back earlier though

That was clear, but from what they tell, looks like the patch is intended to be applied only to 138+.

Who would write a patch for the old 132, while we are at 140+ already?

 

[Mathwiz]

You are right. You need version 138 or above to get the patch. If folks don't want to update, the patch is unavailable to them. For those folks, the only safe option is to turn off the V8 optimizer as described previously.

I suppose, in theory, someone skilled in building Chromium could apply the patch to earlier versions, but I can't imagine anyone would do so, unless there were a very popular old version that many folks were reluctant to update from.

[Dave-H]

So has Win32ss engineered the patch for Supermium, even though it's only at Chromium 132?
It is based on the ESR version, which should surely be able to have the patch applied?