[aweinstock]

For a concrete example of what exploitation of a JS engine bug looks like, PlaidCTF2016 had a challenge that allowed people to run JS in a patched version of V8 that deliberately introduced a bug in array index checking, with the goal being to run x86 machine code.

The patch to v8: http://lpaste.net/317342

An exploit: https://gist.github.com/sroettger/d077d3907999aaa0f89d11d956...

While this bug was artificial, there were (and can still be) bugs with similar consequences in actual engines (see https://www.cvedetails.com/vulnerability-list/vendor_id-1224... or https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=spidermonke... for historical examples).

While a bug in most of the components you mention are bad by themselves, their impact is magnified by the presence of javascript, which allows an attacker to interleave calculations and interactions with the buggy components, bypassing many mitigations.