This vulnerability is similar to issue 1531. The patch seems to prevent type confusion triggered from StElemI_A instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. A proof-of-concept code is provided which shows how type confusion can be achieved with the push method in the same way used for issue 1531. The code creates an array with three elements, deletes the second element, and then calls the opt() function with the array and a value. The opt() function pushes the value to the array and sets the first element to a magic value. When the main() function is called, it creates an array with one element and calls the opt() function with the array and a magic value. When the alert() function is called, it shows the array with the magic value in the first element.