Security researcher Jordan Milne reported an information
leak where document.caretPositionFromPoint
and
document.elementFromPoint
functions could be used on a cross-origin
iframe to gain information on the iframe's DOM and other attributes through a
timing attack, violating same-origin policy.
In general this flaw cannot be exploited through email in the Seamonkey product because scripting is disabled in mail, but is potentially a risk in browser or browser-like contexts.