Mozilla Foundation Security Advisory 2011-57
Title: Crash when plugin removes itself on Mac OS X
Announced: December 20, 2011
Reporter: Richard Bateman
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 9.0
FireBreath developer Richard Bateman reported a crash on Mac OS X that occurred when a plugin deletes its containing DOM frame during a call from that frame. The observed symptom is a null dereference but we cannot rule out the possibility that content from a scriptable plugin such as Flash could find a way to dereference a more useful address and exploit it.