Name of the Vulnerable Software and Affected Versions SES versions prior to 0.16.0

Description The issue concerns a defect in the harden function of Hardened JavaScript, which is used to safely share objects between co-tenant programs. This defect allows properties with non-canonical numeric representations to remain writable after hardening, potentially leading to API pollution attacks. This affects programs that rely on harden to prevent modifications and share instances with mutually suspicious parties. Specifically, hardened TypedArray instances can have non-indexed properties that are writable, which can be exploited. The estimated number of potentially affected devices is not provided.

Recommendations For SES versions prior to 0.16.0, users should upgrade to version 0.16.0 to patch this issue. As a temporary workaround, users can avoid sharing TypedArrays between co-tenant programs and instead create wrapper objects that produce a read-only view of the underlying data. Users should consider attenuating shared collections to either read- or write-only facets and closing over only part of the content of the collection.