Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative an error in Mozilla's
implementation of NodeIterator
in which a
malicious NodeFilter
could be created which would detach
nodes from the DOM tree while it was being traversed. The use of a
detached and subsequently deleted node could result in the execution
of attacker-controlled memory.