window.close() comodo browser remote denial of service

uhh hi

The Comodo Browser is vulnerable to window object based denial of
service attack. The brave browser fails to sanitize a check when window.close()
function is called in number of dynamically generated events… The
function is called in a suppressed manner and kills the parent window
directly by default which makes it vulnerable to denial of service attack.

Window.close() should be sanitized i don’t know why its being not implemented here
most of the browsers i tested Edge/Firefox is sanitizing the call and doesn’t allow / displays a popup when window.close() call is made

Following url with the html file can be sent to a victim



Comodo Browser

Proof of Concept

Click the below link to Trigger the Vulnerability..


There must be a parent window confirmation check prior to close of window.

Tested : Latest Comodo Browser
Windows 10 x64

This should apply to all platforms tho :P0l

Any updates ?

That’s probably what’s going on with my CID. I see very infrequent updates with CID and I would not be surprised if CID is being attacked with a DOS.

Hi, Souhardya! Thank you for the feedback.

I did some tests, as you can see here
We will look into this further.

Thank you very much,

The Comodo Browsers team[/i]

uh hi ,
Here is my POC video you can look at it here :slight_smile:

Also forgot to add this vulnerability i tested it on Comodo dragon the chromium based one

Comodo Dragon 67.0.3396.99 (Official Build) (32-bit)