Calling dialogArguments.window in a tight loop from within a modeless dialog caused IE9 to crash with a PROBABLY_EXPLOITABLE rating. The dialogArguments object exposed the opener window, and repeated access to its window property in a setTimeout loop triggered a use-after-free condition.

win.setTimeout(
    "for (var i = 0; i < 10; i++) dialogArguments.window",
    100
); // Crash — PROBABLY_EXPLOITABLE

The loop quickly acquired and released references to the opener window object, and the reference counting code had a race between the loop iterations and the window’s internal state. The PROBABLY_EXPLOITABLE classification indicated that the faulting address was later used to control code flow.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.