window.close() can be triggered even didn't open by window.open()

[0xAkarii]

In the Wavebox browser, the window.close() method can be executed successfully even when the current window was not opened via window.open(). This behavior deviates from the standard implementation in most modern browsers (like Chrome, Firefox, Safari), which restrict the use of window.close() to windows opened programmatically. This unexpected behavior could be exploited by attackers to trick users into navigating to a phishing site, and then forcefully close the tab, erasing traces or interrupting user actions.

save this html file :

<html>
<title>Browser Window Object  Remote Denial of Service.</title>
<head></head>
 
<body><br><br>
<h1><center>Browser Window Object  Remote Denial of Service</center></h1><br><br>
<h2><center>Proof of Concept</center></br></br> </h2>
 
 
<center>
<b>Click the  below link to Trigger the Vulnerability..</b><br><br>
<hr></hr>
 
<hr></hr>
<b><center><a href="javascript:window.close(self);">Browser  Window Object  DoS Test POC</a></center>
 
</center>
</body>
 
 
</html>

Open then click on link. You should realize that the tab is closed when you click on that link. This behavior is not appears in chromium browser.

[Thomas101]

Thanks for reporting

[Thomas101]

This behaviour is also reproducible in other Chromium browsers when an extension overrides the new tab page, using the extension APIs. You can use any extension that does this, for example New tab.

Tested on:

• Chrome 138.0.7204.158
• Chrome Canary 140.0.7309.0
• Edge 138.0.3351.95
• Brave 1.80.122