By attaching a behavior:url(...) to a <link> element pointing at a file:// URL and counting the number of scripting errors thrown, a page could determine whether a specific file existed on the local system. One error meant the file was not found; two or more meant it was found but the behavior load was blocked.
<link href="file:///c:/localfile.txt"
style="behavior:url(http://THIS_THROWS_ACCESS_DENIED)"/>// Error count == 1 → file does not exist
// Error count >= 2 → file exists (but behavior load was denied)
window.onerror = function() { errorCount++; };This was a pure information-disclosure issue. A malicious page could probe for the existence of sensitive files or installed software by checking for well-known paths, without ever reading the file contents. The fix involved ensuring that file:// URL resolution for behavior attributes followed the same security rules as other cross-zone content.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.