IE10 Screen Not Updated After about:Tabs Navigation

Opening about:Tabs and immediately redirecting it to another URL leaves the display showing the about:Tabs content while the address bar updates correctly. The user sees their real recently closed tabs and frequent sites, but the page is actually under attacker control — createPopups, custom HTML, and scripting all run in that visual context.

function main() {
    win = window.open("about:Tabs");
    win.location.href = "createpopup.html?RND=" + Math.random();
}

The address bar does update to the new URL, so a careful user looking up there would not be deceived. The concern is that users trust the about:Tabs layout because it reflects their real browsing history — the attacker page can render the same familiar tiles while running arbitrary code underneath. Tested on IE10 Desktop, Win8 RTM.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Access to Feeds Generated Page] :: [Persistent Keylogger via Embed HTML and createPopup] >