There is a similar bug with ieframe-dll's sslnavcancel.htm. I also found that if you use ieframe.dll's http_410.htm you can make a link that says "The webpage no longer exists" with a spoof'ed address. POC's is at my blog as comments to the original article.