Arbitrary code execution using event listeners attached to an element whose owner document is null — Mozilla

Mozilla security researcher mozbugra4 reported that the owner document of an element can become null after garbage collection. In such cases, event listeners may be executed within the wrong JavaScript context. An attacker could potentially use this vulnerability to have a malicious event handler...