While testing Silverlight in Chrome 4.0.249.78, I stumbled across four Chrome-specific issues that were unrelated to Silverlight itself. They are a good reminder that security testing one component often surfaces bugs in the surrounding environment.
Bug 1 — DoS: Link Click While DevTools Are Paused
Clicking a link on a page while the JavaScript debugger was paused caused Chrome to crash.
Bug 2 — Access Violation: Event from Non-Existent Window
Firing an event from a window reference that had already been closed triggered an access violation in the renderer process.
Bug 3 — Close Any Tab
window.open("", "_self").close();Calling window.open with "_self" as the target and immediately closing the returned reference closed the current tab without any user confirmation.
Bug 4 — Open a Modal Outside the Screen Bounds
Passing negative coordinates to a modal dialog function allowed it to be positioned entirely off-screen, making it impossible for the user to interact with or dismiss it.
These were filed separately with the Chrome security team. The close-any-tab issue was the most interesting from a practical standpoint — it was a low-noise denial-of-service against the user’s browsing session.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.