Chris Evans has posted an interesting bug in IE involving using JavaScript's window.onerror to leak cross domain data. From his blog
"The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then uses <script src="http://www.bank.com/">. "
Full Advisory: http://scarybeastsecurity.blogspot.com/2010/10/minor-leak-major-headache.html
