If you manage to get the code to execute on a worker or an iframe, you should have a clean environment to operate in, with your own copy of the native environment and prototypes.
The question is... how do you create an iframe or worker safely? document.createElement and window.Worker can be poisoned too.
Perhaps its possible to verify the functions you're using are native and not created in user-land? that way, at least you could identify the attack and stop execution.
The question is... how do you create an iframe or worker safely? document.createElement and window.Worker can be poisoned too.
Perhaps its possible to verify the functions you're using are native and not created in user-land? that way, at least you could identify the attack and stop execution.