A straightforward pattern that turned out to be surprisingly reliable: cache a reference to an IFrame’s window, destroy the IFrame by replacing its HTML, then call any window method through the cached reference.

w = window[0];
document.all.tags("IFRAME")[0].outerHTML = "Hasta la vista";
w.moveTo(0, 0); // Crash

Replacing the IFrame’s outerHTML teardown the underlying CWindow object, but the JavaScript variable w still held a COM reference. Calling moveTo on the now-dead window caused an access violation. The fix required ensuring the script engine properly invalidated all references to a window when its DOM node was destroyed.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.