This Metasploit module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a DOM textNode pointer becomes corrupted after style computation. This pointer is then overwritten when the innerHTML property on the parent object is set.
b6745968884cf6b6554a200804a5583329d082da0e92b0007d893fd030dd188e