News : Three-year-old JavaScript Bug Continues to Plague IE7

Last Friday, Polish researcher Michal Zalewski reported discovering an interesting little JavaScript trick that keeps a user stuck on a Web page even though he's trying to navigate somewhere else. His discovery involves the simple use of a JavaScript event to make it appear as though a browser is displaying any particular URL, when it's not.

When the exploit works, the onunload() event triggers the execution of JavaScript code the moment the user exits a Web page - which is how this JavaScript event is designed to work. But from there, the exploit would write information to the Web page without changing the contents of the address bar, potentially enabling a phisher to drop genuine-looking contents into a page to fool the user into thinking he's on a legitimate site.

Of course, the code itself would need to be attached to a page whose authenticity can't be questioned even though the event code hasn't been run yet. That's a tricky maneuver unless the HTML framework is being run by an e-mail client whose JavaScript interpreter is enabled.

In BetaNews tests of Zalewski's test page in IE7 on multiple Windows machines, including two XP-based systems and one Vista-based Virtual PC-driven environment, the test page failed to spoof a Web site effectively when the user attempts to exit the page by clicking on a link in IE7's Links toolbar or Favorites list. While the user is still stuck on the test page, the address bar continues to read the test page's address.

However, when an address is typed manually into the IE7 address bar, the user remains stuck on the Web page while the address bar continues to read what the user typed. If the user tries clicking Links or Favorites again, the page remains stuck, and the address bar continues to show what the user typed. Apparently, when IE7 allows JavaScript to process the onunload() event, it does not change the contents of the address bar - it continues to show whatever it did before.