Security researcher Mariusz Mlynski reported that an
attacker able to convince a potential victim to set a new home page by dragging
a link to the "home" button can set that user's home page to a
javascript:
URL. Once this is done the attacker's page can cause
repeated crashes of the browser, eventually getting the script URL loaded in the
privileged about:sessionrestore
context.