Last year, @swapgs and I found a fun bug in the popular enterprise VPN solution Zscaler. The VPN client was using the pacparser library to decide which HTTP requests should be proxied. The decision was made based on a pre-configured Proxy Auto-Configuration (PAC) file which contains JavaScript code. The bug allowed us to escape from a string and execute arbitrary JavaScript in the context of the PAC file. We noticed that pacparser was using a 17 year old version of SpiderMonkey (Firefox’s JS eng...