+++ This bug was initially created as a clone of Bug #9 +++
15.11.6 and 15.11.7 specify the "native errors" that are thrown for error conditions defined within the specification. However, the introductory text to both sections does not make it clear that a new Native Error instance is thrown on each such error occurrence. In theory, an implementation might interpret this as meaning it only needs to keep a single instance of each Native Error and reuse it for each required throw. Adding properties to such a common instance might be used as a covert communications channel.
15.11.6 should say: "A new instance of one of the NativeError objects ..."
15.11.7 should say: "When an ECMASript implementation detects a runtime error it throws a new instance of one of the NativeError..."
fixed in rev 16 editor's draft
fixed in rev16 draft. July 15, 2013