Cross-site scripting using .valueOf.call() — Mozilla

mozbugra4 discovered that .valueOf.call and .valueOf.apply when called with no arguments were returning the Object class prototype rather than the caller's global window object. When called on a reachable property of another window this provides a hook to get around the same-origin protection,...

Accessing XBL compilation scope via valueOf.call() — Mozilla

mozbugra4 discovered that the compilation scope of privileged built-in XBL bindings was not fully protected from web content and could be accessed by calling valueOf.call and valueOf.apply on a method of that binding. This could then be used to compile and run attacker-supplied JavaScript, giving...