Today, I discovered an Internet Explorer exploit that can be used to circumwent popup-blocking software. This exploit can be used by websites and online ad agencies to serve popup advertisements.
Popup blockers target the window.open statement to prevent the opening of new windows. The first parameter for the open statement contains the URL of the advertisement. The second parameter contains the user-defined name for the window. The _search exploit involves the use of the second parameter.
When you use _search, Internet Explorer allows you to open URLs inside the search pane rather than in a new window. For this, the second parameter has to be _search. Popup blockers do not block URLs opened in the search pane of Internet Explorer.
To test the exploit, copy* the following code to a HTML page on a site. Open the page in Internet Explorer. Keep the popup-blocking feature of Google Toolbar or Altavista Toolbar or MSN Toolbar on. None of these toolbars block the test site Yahoo.com from being opened in the search pane.
<html> <head> <body onload="window.open('http://www.example.com', '_search')"> <p>Website Content</p> </body> </html>
When you use some other target window, the second parameter becomes a user-defined name for the window. The toolbars then kick into action and block the test site Yahoo.com from being opened.
<html> <head> <body onload="window.open('http://www.example.com', 'search')"> <p>Website Content</p> </body> </html>
Popup killer utilties including IE toolbars don’t check web pages loaded in the search pane. So, advertisers can load web pages in the search pane and make them launch popups.
UPDATE: Microsoft has eliminated the _search hole in an update.