I've posted a demonstration of this problem to this bug's URL. Document B sets a global variable named "superSecretThing", document A embeds document B in an iframe, and is able to see the secret variable name from a foreign domain.
This can, e.g., leak whether a user is logged in on another domain, if that domain initialises variables after the user logs in.
Created attachment 18204 [details]
Landed in r29044.