Security researcher SkyLined reported a use-after-free created by triggering the creation of a second root element while parsing HTML written to a document created with document.open()
. This leads to a potentially exploitable crash.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.