0

I am curious if it is indeed the case that well written Javascript IIFEs are impossible to bypass; For example:

(function() {
    var foo = 9;

    var exports = {
        getFoo: function() {
            return foo;
        }
    };
    window.my_exports = exports;
})();

// can I do anything at all at this point to mutate/access foo directly?

Is there no clever ways to mutate foo anymore? Is it just a "memory leak" with a single strong reference from the closure getFoo which is exposed to global scope, so it cannot be reclaimed?

assuming no memory editors are used that is.

Dmytro
  • 5,068
  • 4
  • 39
  • 50
  • You can always do `delete window.my_exports.getFoo;` – Redu Nov 28 '16 at 19:36
  • Maybe some debugger allows it. Would you consider it a memory editor? – Oriol Nov 28 '16 at 19:36
  • @Redu Which wouldn't mutate `foo`, though. – TimoStaudinger Nov 28 '16 at 19:37
  • Browser developer tools allow the addition of breakpoints, and I'm fairly sure they allow editing of values while paused at a breakpoint. – Niet the Dark Absol Nov 28 '16 at 19:37
  • It's using additional features not normally available to regular JavaScript environments, so it's still indirect means. and deleting the exports will remove the strong reference and I imagine it would cause the garbage collector to reclaim foo along with it, but I still wouldn't have touched foo. – Dmytro Nov 28 '16 at 19:38
  • @Timo once there is no reference left to `foo` if will go puff once GC works. – Redu Nov 28 '16 at 19:38
  • ...however it would be trivial to overwrite `window.my_exports.getFoo` with a different implementation that allows for the effect of a mutable `foo`. – spender Nov 28 '16 at 19:40
  • i was thinking of that too, but it's technically the same kind of thing as memory editing, except you are manipulating the memory manager itself(the part of the runtime responsible for memory allocation/reference counting) to expose memory to the runtime rather than having to brute force look for it, and another word for it would probably be a debugger. It would be possible if the implicit environment chain was accessible from JavaScript, but I imagine it's hidden to make such encapsulation this powerful. – Dmytro Nov 28 '16 at 19:41
  • Why would you like to access and mutate a value that's been disallowed for your access in the first place? – Redu Nov 28 '16 at 19:45
  • I'm curious if I'm overlooking something or if it is indeed truly perfectly closed. – Dmytro Nov 28 '16 at 19:45
  • @NiettheDarkAbsol Not on Firefox :( Or at least I didn't manage to do it. – Oriol Nov 28 '16 at 19:46

0 Answers0