HTC (HTML Component) behaviors in IE gave elements a secondary document context. I found that if an opener window held a reference to an HTC element’s document and then reloaded that document, subsequent access to the document object through the stale reference caused a crash with varying exploitability ratings depending on the timing.

// crash.htc
// <PUBLIC:COMPONENT URN="urn:msdn-microsoft-com:workshop">
// <SCRIPT DEFER LANGUAGE="JScript">
//   opener.element = this;
//   opener.reloadMe();
// </SCRIPT></PUBLIC:COMPONENT>

element.document.execCommand("Refresh");
var d = element.document; // Crash

The crash was classified as PROBABLY_EXPLOITABLE in some runs and EXPLOITABLE in others. The HTC reload invalidated the underlying CDoc pointer, but the JavaScript object wrapper kept pointing at the freed memory. The SCRIPT DEFER attribute in the HTC was itself noteworthy — it executed after the component was attached, giving the element a chance to report back to the opener before the reload.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.