Security researcher Sergey Glazunov reported a
dangling pointer vulnerability in the implementation
of navigator.plugins
in which the navigator
object could retain a pointer to the plugins array even after it had
been destroyed. An attacker could potentially use this issue to crash
the browser and run arbitrary code on a victim's computer.