Mozilla Foundation Security Advisory 2012-04
Title: Child nodes from nsDOMAttribute still
accessible after removal of nodes
Announced: January 31, 2012
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 10.0
Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that removed child nodes of nsDOMAttribute can be accessed under certain circumstances because of a premature notification of AttributeChildRemoved. This use-after-free of the child nodes could possibly allow for remote code execution.