Jenna rubbed her eyes. She was the sole keeper of “Hermes,” Safari’s content-blocking engine. For three years, it had been flawless. But tonight, the web had learned a new trick.
Window after window spawned. Nested iframes. Redirect chains. Fake system dialogs. A casino ad that sang opera. A "Your Mac has 3 viruses" alert that pulsated like a heartbeat. Safari was drowning.
The opera-singing casino ad froze mid-aria.
At 2:15 AM, she found the exploit. A JavaScript function called bypassBlocker() buried in a supply-side ad kit. It worked by creating a null event loop —a split-second gap where the browser thought the user’s interaction was still in progress, even after the user had moved on.