Sending tainted number via postmessage leaves them in 'zombie state'

[leeN]

While debugging stuff related to the primitive tainting, I noticed something that breaks some applications in a subtle way.

If I send a tainted string via post message, it gets cloned, transferred, and deserialized as expected. The same sadly is not true for numbers.

<!DOCTYPE html>
<html>
  <head>
    <script>
      window.addEventListener(
  "message",
  (event) => {
    d = event.data;
    console.log(`Number: ${d.num}, (type: ${typeof d.num}), taint: ${d.num.taint}`);
    console.log(`String: ${d.str}, (type: ${typeof d.str}), taint: ${d.str.taint}`);
  },
  false,
);
        let tn = Number.tainted(52);
        let ts = String.tainted("foo");
        window.postMessage({ num: tn, str: ts}, "*");
    </script>
  </head>
  <body></body>
</html>

I would expect this to print something like:

Number: 52, (type: number), taint: [object Object] test.html:9:13
String: foo, (type: string), taint: [object Object] test.html:10:13

but instead it is as follows:

Number: 52, (type: object), taint: null [test.html:9:13]
String: foo, (type: string), taint: [object Object] [test.html:10:13]

That is, the value is correctly restored, but the taint object is left as null. This changes the semantics of the typeof operator, which is problematic if you are sending properties of the client to yourself via post message.