Severe IE 11 Bug Allows 'Persistent JavaScript' Attacks

An anonymous reader writes: New research published today shows how a malicious website owner could show a constant stream of popups, even after the user has left his site, or even worse, execute any kind of persistent JavaScript code while the user is on other domains. In an interview, the researcher who found these flaws explains that this flaw is an attacker's dream, as it could be used for: ad fraud (by continuing to load ads even when the user is navigating other sites), zero-day attacks (by downloading exploit code even after the user has left the page), tech support scams (by showing errors and popups on legitimate and reputable sites), and malvertising (by redirecting users later on, from other sites, even if they leave the malicious site too quickly).

This severe flaw in the browser security model affects only Internet Explorer 11, which unfortunately is the second most used browser version, after Chrome 55, with a market share of over 10%. Even worse for IE11 users, there's no fix available for this issue because the researcher has decided to stop reporting bugs to Microsoft after they've ignored many of his previous reports. For IE11 users, a demo page is available here.

This is not really javascript's fault

[SuperKendall]

If this issue were a problem in Javascript it (or some variant) would work in a lot more browsers than just IE11.

But it's not. The bug here boils down to Microsoft adding an ActiveX call into Javascript, then that call activating some native HTML ActiveX component and using it in a super bad way.

That's not Javascript's fault, that's on Microsoft for punching such a large hole in the sandbox.