Security researcher Jethro Beekman of the University of
California, Berkeley reported a crash when the FireOnStateChange
event is triggered in some circumstances. This leads to a use-after-free and a
potentially exploitable crash when it occurs.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.