Security researcher Nils used the Address Sanitizer tool while fuzzing to discover missing strong references in browsing engine leading to use-after-frees. This can lead to a potentially exploitable crash.
In general these flaws cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts.