IE9’s InfoBar (the yellow notification bar) was supposed to show the domain of the page that triggered a blocked popup. By calling window.open() eleven or more times, the InfoBar’s domain cache overflowed its limit and stopped updating, displaying a stale domain while new popups came from a different origin.

for (var i = 0; i < 10; i++) window.open();
// The 11th open navigates to the attacker domain,
// but the InfoBar still shows the original domain

Disassembly of CPopupWindowHandler::_CacheContextUrlInfo revealed the check cmp dword ptr [edx+24h], 0Bh — the function simply skipped caching after the 11th call. A user seeing the InfoBar would read a trusted domain name while the blocked popup actually belonged to a different origin.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.