Mozilla community member Jean-Max Reymond discovered a use-after-free
vulnerability with a <canvas>
element on a page. This occurs when a
resize event is triggered in concert with style changes but the canvas references have
been recreated in the meantime, destroying the originally referenced context. This results
in an exploitable crash.
Ucha Gobejishvili, working with HP's Zero Day Initiative, subsequently reported this same issue.