To be clear it's a fake tech support website with a fake malware warning, it's not attempting to download malware afaics. Also firefox has the same problem and I filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1450083

The server at 207.246.92.127 is down now so I've attached a Fiddler capture from earlier today. Some of the responses are gzipped so to search through them you'd have to enable 'Decode compressed content' in the search window or to inspect them raw per session in Inspectors click the banner 'Response body is encoded. Click to decode.'

Deleted: espn.cm redirect to fake tech support.saz 2.6 MB

espn.cm redirect to fake tech support.saz 2.6 MB Download

As the attachment in comment #3, creates a malware and causes a system corrupt. Hence, adding label TE-NeedsTriageHelp for further investigation from dev team.

Thanks...!!

Sounds like a security issue with the renderer.  Tagging appropriately (I hope).

Adding avi@ and csharrison@ who are working on killing popups and tabunders. It looks to me from the animated gif that the switch of the tab likely has user gesture bit set on losing focus, which the page uses to create the extra window. However, this is purely a guess, so it needs to be verified.

If we're giving the user gesture bit on the _loss_ of focus that's a serious bug. I tried the simplest thing by issuing a popup onblur:
data:text/html,<script>window.onblur = () => window.open()</script>

But I couldn't get a repro on Mac. +mustaq if you've seen any cases like this recently. It almost looks like the page is receiving gestures from any native interaction (e.g. even closing the tab seems to be hijacked!).

Interesting, never seen anything like this before.

I am not aware of any NotifyUserActivation calls triggered from a user action outside content area directly.  But there could be an indirect way since we currently have plenty of cases (postMessaging, extension messaging, navigation...) where a user gesture token is converted to a Boolean and then transferred over to a new context to recreate it there.  Such conversions can be exploited to mimic user activation.

Here is one possible explanation of this behavior:

1. The malware page somehow starts with a user activation.  For example, if page is opened by clicking on a link, the activation state could remain since some navigation operations don't consume user activations (at least until a recent fix by csharrison@).

2. The page is keeping the activation alive indefinitely.  It can use repeated token<->Boolean conversion to infinitely extend the lifetime of a token and/or to keep creating new tokens upon 1-sec expiry.  E.g. send a message to an extension background page (or postMessage to a subframe) which relays back the message right before 1-sec expiry limit.  The postMessage possibility was fixed by alexmos@ few weeks ago.

3. Then calling window.open on "blur" event should always succeed.

Btw, one of the reasons I am passionate about User Activation v2 is to nuke all those Boolean<->token conversions.

Nice analysis mustaq. (1) seems far-fetched to me because the .gif shows a normal omnibox navigation. Still, (2) seems possible.

One extra point: the site seems to actually _prevent_ closing the tab / unfocusing it. This seems like more than what should be possible even with activation.

mustaq@ and csharrison@, given that you have a theory about how this happens, can you please move this out of the Unconfirmed queue?

I'm hesitant to remove Unconfirmed until someone repros this. I haven't had time to dig into the fiddler.