Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript() — Mozilla

Mozilla security researcher moz_bug_r_a4 reported that mozIJSSubScriptLoader.LoadScript() only applied XPCNativeWrappers to scripts loaded from standard chrome: URIs. Add-ons using this feature to load scripts from other schemes such as file: or data: (typically dynamically generated scripts) and chrome: URIs using non-canonical package names (e.g. uppercase) did not have the protective wrappers applied. If the scripts interact with web content in any way that content could exploit the unwrapped scripts to run arbitrary code.