Resident Script via HTML Object External Reference

This variation on resident script execution used an HTML <object> element and an external window to keep a script context alive after the user navigated away. By holding a reference to the object’s parentWindow from a helper window, the attacker could continue executing code that appeared to originate from whatever page was currently in the foreground.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>ResidentObjectExternalReference</title>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
</head>
<body>
<script language="JavaScript">
var obj = document.createElement('<object type="text/html" data="dummy.html" width="100" height="100"></object>');

function main()
{
	window.open("resident.html","", "width=300,height=300");
}

</script>
</body>
</html>

The helper window (resident.html) grabbed a reference to opener.obj.parentWindow, navigated the main window to a new URL via opener.location, and then called setInterval on that saved reference to fire alerts every five seconds. Because the HTML object’s window context survived the top-level navigation, the intervals fired while Google (or any other site) was displayed — making the dialogs appear to come from the legitimate site. This required a helper pop-up window to hold the reference, but the effect on the user was indistinguishable from the simpler onpagehide variant.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.