fix: use Reflect.apply instead of .call() in Promise handlers (#549)

Replace unsafe `.call()` usage with `Reflect.apply` in globalPromise.prototype.then and globalPromise.prototype.catch to prevent potential interception via Function.prototype.call override.

Author: patriksimek

lib/setup-sandbox.js

@@ -57,7 +57,7 @@ globalPromise.prototype.then = function then(onFulfilled, onRejected) {
 			return apply(origOnRejected, this, [error]);
 		};
 	}
-	return globalPromiseThen.call(this, onFulfilled, onRejected);
+	return apply(globalPromiseThen, this, [onFulfilled, onRejected]);
 };
 
 globalPromise.prototype.catch = function _catch(onRejected) {
@@ -69,7 +69,7 @@ globalPromise.prototype.catch = function _catch(onRejected) {
 			return apply(origOnRejected, this, [error]);
 		};
 	}
-	return globalPromiseCatch.call(this, onRejected);
+	return apply(globalPromiseCatch, this, [onRejected]);
 };
 
 const localReflectApply = (target, thisArg, args) => {