Security researcher Mariusz Mlynski reported an issue with
spoofing of the location property. In this issue, writes to
location.hash
can be used in concert with scripted history
navigation to cause a specific website to be loaded into the history object. The
baseURI can then be changed to this stored site, allowing an attacker to inject
a script or intercept posted data posted to a location specified with a relative
path.
In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.