Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that
when window.__lookupGetter__
is called with no arguments
the code assumes the top JavaScript stack value is a property name.
Since there were no arguments passed into the function, the top value
could represent uninitialized memory or a pointer to a previously
freed JavaScript object. Under such circumstances the value is passed
to another subroutine which calls through the dangling pointer,
potentially executing attacker-controlled memory.