The reporter found an edge case - almost obscure - where it was possible to build a CSRF on Internet Explorer 10/11 (Windows 7). The report was on two different domains.
There was a long wait to get this fixed. The criticality was not very high. Tokens were added to the applications to avoid CSRF.
Although CSRF is bad in itself, this was a rare case hence making the probability of something bad happening very small.