Security researcher Collin Jackson reported a violation of
the HTML5 specifications for document.domain
behavior. Specified
behavior requires pages to only have access to windows in a new
document.domain
but the observed violation allowed pages to retain
access to windows from the page's initial origin in addition to the new
document.domain
. This could potentially lead to cross-site
scripting (XSS) attacks.
In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.