Did windows update 2846071 break the handling of window.event.clientX clientY?

Did windows update http://support.microsoft.com/?kbid=2846071 break the handling of window.event.clientX and clientY? It seems that Windows 7 machines using IE 9 or 10 now return something that looks like the window position (top left corner) rather than the mouse position within the window. The numbers look accurate, but may be negative.

Or is that a "fix" and I should really be using something else for the mouse position.

I was using it in window.onbeforeunload to detect a user leaving the page without logging out and giving them the boot, but I'm disabling that today until I figure this out.



Argh! Ok so here is the issue Microsoft was trying to fix AND what they broke in the process.

Originally IE was leaking the event coordinates outside the browser viewport (1) (e.g. in a region that the webpage should not know about) as well as leaking the coordinates when the IE window didn't have the active focus (2) (e.g. when you are in another app, or on another monitor... and finally it leaked some keystrokes (3).

It looks like Microsoft fixed the leaking of coordinates... but did so by COMPLETELY removing all of them... including the USEFUL in viewport coordinates!

e.g. events are returning undefined for X,Y coordinates that are most certainly 100% inside the browser viewport.


This really looks like something Microsoft didn't intend releasing.

  • Previously, they have stated they did not think there was any risk "outside the lab"
  • The change is undocumented in the patch, which refers to "Memory Corruption" and "JIS Character Encoding Vulnerabilities"
  • If clientX only returned coordinates within the page, the risk goes away

Is a patch for the patch on the way?

Further: The problem with clientX/clientY (and similar properties) is dependent on the event used to fire the javascript. I've found that onfocus returns incorrect coordinates, but onclick returns correct coordinates. Haven't tried other events.


The javascript in the OP was broken by this Microsoft July 2013 update (this is even acknowledged in the "Known issues" section):


But it was fixed in this August 2013 update:


I have confirmed that clients on which I install the Aug update no longer have the issue.


Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us

©2020 All rights reserved.