[CVE-2018-8381] Edge - Child Case of type confusion with EntrySimpleObjectSlotGetter

Marshalling should not be re-entrant. But due to proxy in the prototype chain - we could have prototype trap invoked and things can get worse from there.
We had put no-reentrancy macro in there but that protect us on RS3 and up.
In order to fix this, we need to check if the current object is proxy or not - in that case break the chain.

lib/Runtime/Base/CrossSite.cpp

@@ -99,6 +99,11 @@ namespace Js
             {
                 MarshalDynamicObject(scriptContext, prototypeObject);
             }
+            if (JavascriptProxy::Is(prototypeObject))
+            {
+                // Fetching prototype of proxy can invoke trap - which we don't want during the marshalling time.
+                break;
+            }
             prototype = prototypeObject->GetPrototype();
         }
     }