Calling document.open() on a freshly created popup document caused a PROBABLY_EXPLOITABLE crash in IE9. The popup document was not in a state that supported being re-opened, and the open() call corrupted internal state.

createPopup().document.open(); // Crash — PROBABLY_EXPLOITABLE

A createPopup() document is implicitly opened and closed as part of the show() flow. Calling document.open() on it manually bypassed that lifecycle management and left the document in an invalid state. The crash occurred deep in the document parsing infrastructure and was rated PROBABLY_EXPLOITABLE by !msec.exploitable.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.