15.11.6 and 15.11.7 specify the "native errors" that are thrown for error conditions defined within the specification. However, the introductory text to both sections does not make it clear that a new Native Error instance is thrown on each such error occurrence. In theory, an implementation might interpret this as meaning it only needs to keep a single instance of each Native Error and reuse it for each required throw. Adding properties to such a common instance might be used as a covert communications channel.
15.11.6 should say: "A new instance of one of the NativeError objects ..."
15.11.7 should say: "When an ECMASript implementation detects a runtime error it throws a new instance of one of the NativeError..."
set IN_PROGRESS to indicated this should go into ES5.1 Errata.
Bulk resolving ES5.1 errata issues as a sampling suggests these are all fixed. If this is in error, please open a new issue on GitHub.