On FeFe’s blog I found two interesting Chrome exploits. Because Chrome is sandboxed, they had to use a lot of chained bugs to break out.
So, that’s the long and impressive path Pinkie Pie took to crack Chrome. All the referenced bugs were fixed some time ago, but some are still restricted to ensure our users and Chromium embedders have a chance to update. However, we’ve included links so when we do make the bugs public, anyone can investigate in more detail.