Creating a popup from inside an IFrame, then navigating that IFrame away while the popup was still visible, left an orphaned popup window. Manually resizing it afterward triggered an access violation in MSHTML!CDoc::OnWindowMessage.

var badPop = window[0].createPopup();
badPop.show(100, 100, 600, 200);
setTimeout('window[0].location = "about:blank"', 500);
// Then manually resize the popup window that remains on screen

The popup’s window handle remained valid at the OS level even after its owning CDoc was freed. When the user dragged the resize handle, the window procedure tried to call back into the destroyed document object, causing the crash. The !msec.exploitable tool rated this PROBABLY_EXPLOITABLE.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.