Not sure if this would fall under security or UI/Usability/Bug etc. If it is miscategorized I apologize. 

VULNERABILITY DETAILS
Javascript that allows for a site to generate pop-under type windows underneath the user's browser window, bypassing the pop-up blocker and focus control rules. The behavior is summarized as:
1. A user clicks on some affected element on the page, and the mouse-down event triggers a new tab
2. A mouse-up listener is attached to the new tab and immediately captures the mouse-up event from the same click to trigger a second pop-up window on the same single effective user action.
3. The tab is dynamically populated with a base 64 encoded PDF document that forces Chrome's internal PDF viewer to generate a "Please wait.." dialog that pulls focus back to the main browser window
5. An on-focus listener attached to the tab immediately clears the dynamically rendered PDF, in turn closing the "please wait.." dialog.
6. The tab is then closed, leaving the pop-under window that persists behind the browser window until the user notices it. 

This was observed and reverse-engineered from a heavily obfuscated script that is being marketed commercially here:

http://popunderjs.com/


VERSION
Chrome Version: 63.0.3239.108 (Official Build) (64-bit) - Stable
Operating System: Windows 8, Windows 10

REPRODUCTION CASE
Attached HTML page and included Javascript demonstrates the issue.


 

Deleted: demo.html 6.3 KB

demo.html 6.3 KB View Download