PageName	Summary + Labels	Changed	ChangedBy	...
	GlobalObjectPoisoning	passing any object cross-frame gives access to global definitions.	Nov 02	mikesamuel
	RedirectWithoutUserAction	Frames can redirect other frames	Oct 20	jasvir
	PhishingViaCrossSiteHttpAuth	An attacker can display an HTTP authorization dialog that looks like it may have come from another site	Oct 20	jasvir
	UrlFetchingSideChannel	Side-channels from unproxied connections leak information across closed networks	Sep 10	mikesamuel
	GlobalScopeViaThis	`this` is often bound to the global scope.	Aug 05	erights
	ErrorExposesParameterValues	The stack property of Error includes parameter values.	May 2009	davidsarah.hopwood
	CatchBlocksScopeBleed	catch blocks don't always introduce a new scope.	May 2009	davidsarah.hopwood
	StringObfuscationIsEasy	regular expressions cannot match bad code without unacceptable false positives	Apr 2009	mikesamuel
	CssImportsAllowUnsanitizedCodeExecution	@import(<url>) can allow execution of script in unsanitized CSS	Apr 2009	mikesamuel
	DeleteUnmasksGlobals	`delete` defeats masking of globals via `with`	Feb 2009	jasvir
	ConditionalCompilationComments	Conditional compilation may allow disabling of runtime checks.	Dec 2008	mikesamuel
	IdAndNameMasking	Descendants with an ID or NAME attribute can mask properties defined in DOM2 HtmlCollection, HTMLFormElement, NamedNodeMap, etc.	Dec 2008	mikesamuel
	CompoundAssignmentsCanReturnNonNumber	Compound assignment expressions might not evaluate to a number (or string in the case of +=), in violation of the ES3 specification. Simple assignments might not evaluate to their right-hand-side.	Nov 2008	davidsarah.hopwood
	CssAllowsArbitraryCodeExecution	CSS allows binding of properties to arbitrary javascript expressions	Nov 2008	davidsarah.hopwood
	MisOptimizations	Some interpreters try optimizations that subtly changing the semantics of builtin operators	Nov 2008	davidsarah.hopwood
	PostIncrementAndDecrementCanReturnNonNumber	Post-increment and post-decrement expressions might not evaluate to a number, in violation of the ES3 specification	Nov 2008	davidsarah.hopwood
	RegexpsLeakMatchGlobally	Any regular expression can match against the last string passed to any other	Jun 2008	mikesamuel
	HiddenControlFlowHazard		Jun 2008	erights
	XsrfViaXxe	parsing XML can cause the browser to fetch arbitrary URLs	Jun 2008	mikesamuel
	SetTimeoutArbitraryCodeExecution	some browser intrinsics treat a string as code to eval.	Jun 2008	mikesamuel
	ObjectWatch	watch and unwatch intercept gets and sets to object properties	Jun 2008	mikesamuel
	ObjectEvalArbitraryCodeExecution	eval reachable from any Object on some browsers	Jun 2008	mikesamuel
	FunctionMethodsLeakGlobalScope	myFunction.call(null) causes `this` to bind to the global object	Jun 2008	mikesamuel
	FunctionMemberCrossScopeParameterAccess	myFn.arguments[0] changes local variables while call in progress	Jun 2008	mikesamuel
	DomAllowsKeylogging		Jun 2008	mikesamuel
	CrossScopeParameterModification	function parameters can be changed without assignment via `arguments`	Jun 2008	mikesamuel
	ArgumentsMaskedByVar	special arguments array maskable	Jun 2008	mikesamuel
	ArgumentsExposesCaller	Reflective call stack traversal leaks references.	Jun 2008	mikesamuel
	ParentCircumventsScoping		Nov 2007	mikesamuel
	DomAllowsXsrf		Oct 2007	mikesamuel
	FunctionConstructor		Oct 2007	mikesamuel