First of all - we should check vulnerable code: evercookie.as
So - the flash file takes flashVar parameter everdata and puts it to SharedObject (something like Local Storege but for Flash). If some data already was in SharedObject - it pass its value to javascript function called _evercookie_flash_var() without any checks. So the proof of concepts for this version looks simple:
http://vulnerable-hostname/evercookie.swf?everdata=f');alert('XSS');//
After visiting this and then visiting page that embeds evercookie.swf - we'll see wonderful alert box ;-) and the best part - it's stored one.
Few weeks ago someone made pull request for fixing some issues (not security related) with QQBrowser and simply replaced getURL() function with ExternalIterface.call(). So - someone accidentally fixed old bug and created new one ;-) Here's the code: evercookie2.as
+ 2nd PoC:
http://vulnerable-hostname/evercookie.swf?everdata=f\\"))}catch(e){}alert(1);//
...and life goes on. :)
If you're using evercookie - please update to newest version. You can also check the video demonstration: https://www.youtube.com/watch?v=kWAiV6Bjm2s
