Security researcher Martin Barbella reported that under certain conditions, viewing a XUL document while JavaScript was disabled caused deleted memory to be accessed. This flaw could potentially be used by an attacker to crash a victim's browser and run arbitrary code on their computer.
XUL document support was disabled by default in Firefox 4 and SeaMonkey 2.1 and users of those versions are not generally at risk. It is possible for add-ons to re-enable the feature for specific sites (for example, to support a legacy intranet XUL application) which would have introduced this vulnerability while browsing those sites.