When IE blocks a pop-up, it displays an info bar that names the originating site — for example, “IE blocked a pop-up from evil.com”. The intent is to let users make an informed decision about whether to allow it. By using the Navigate method of the WebBrowser control ActiveX and passing a different URL as the first argument, the origin shown in the info bar could be spoofed to display any domain — including trusted ones like facebook.com.
<iframe id="webBrowser" style="display:none"></iframe>
<script language="JavaScript">
function blockMe(sUrl)
{
document.all.webBrowser.Navigate(sUrl,"","WIN");
}
</script>The Navigate method accepted a URL and a target window name. When called with "https://www.facebook.com" and target "WIN", IE’s pop-up blocker saw the navigation attempt as originating from facebook.com rather than from the actual page. The blocked pop-up notification then told users that Facebook was trying to open a window — making it plausible to allow. An attacker with an iFrame on Facebook’s domain (such as a third-party ad or widget) could use this to make their blocked pop-ups appear to come from Facebook itself.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.