[cheald]

The point remains that this kind of thing is entirely possible via "legitimate" methods, too.

If the bad guys can inject Javascript into your page, it's game over, period. The attack vector is meaningless; there are tons of them. If I can inject my Javascript into your page to hijack your clicks, why would I bother with that rather than just putting an invisible iframe into the page that delivers the payload without any user interaction required? It's going to get me far better results, doesn't rely on undocumented behavior, and isn't contingent on a user failing to notice a splash screen.

[bilawal]

Maybe there's a side to it that I'm not aware, but as far as I know, it's become very difficult to run exploitable JS in an iframe.

[cheald]

cjc1083's proposed attack vector is an interstitial page which drops a Java/Flash 0-day on you and forwards you to your original target site, leaving you compromised and none the wiser. My point is that if you can even do the redirect in the first place, it's much simpler to just iframe in the attack page and do the drop directly rather than waiting on user input to do it in a manner that they might notice.

[cjc1083]

You are 100% right, I guess I was just taking the concept to a place where I could mentally weaponize it. Thanks!