[shadowgovt]

Does disabling JavaScript also disable loading iframes? IIRC it does not, but my memory's hazy on the topic.

This exploit allows arbitrary code execution by requesting too big a height for an iframe, which corrupts a GDI data structure.

https://www.cvedetails.com/cve/CVE-2011-5046/

[ocdtrekkie]

iframes are purely an HTML element. Of course, this flaw is patched in the latest Windows 7, but it's a great example of the potential risks nonetheless.