A website analytics firms has discovered a security vulnerability in all current versions of Internet Explorer that allows attackers to trace mouse cursors anywhere on users' screens.
The vulnerability can be exploited to capture virtual or screen keyboard input, Spider.io said.
Such input methods are typically used to reduce the risk of keylogger malware recording keystrokes on physical keyboards.
Virtual keyboards are also used by disabled people, and when there is no physical keyboard present.
Security vendor Kaspersky Lab uses a virtual keyboard as part of its Anti-Virus 2013 product to avoid interception of data.
User names, passwords and credit card details can be captured through the exploit, according to Spider.io.
Two unnamed display ad analytics companies already exploit the vulnerability, "across billions of page impressions a month," Spider.io said.
Thanks to Internet Explorer's event model populating the global Event object with mouse event attributes, and the ability to trigger events manually through the fireEvent() method, attackers can easily work out where on the screen the mouse cursor is placed.
Spider.io has set up a demo page to show how the data leakage vulnerability works.
iTnews tested with Internet Explorer versions 9 on Windows 7 and 10 on Windows 8, and can confirm that the mouse cursor tracking exploit works on both.
Other browsers such as Chrome, Opera and Firefox are not vulnerable to the exploit.
Microsoft's Security Research Centre has been notified by Spider.io and acknowledged the vulnerability in Internet Explorer.
However, according Spider.io, the MSRC said "there are no immediate plans to patch this vulnerability in existing versions of the browser."