Privilege escalation using a JavaScript function's cloned parent — Mozilla
shutdown discovered it was possible to use the Object.watch method to access an internal function object the "clone parent" which could then be used to run arbitrary JavaScript code with full permission. This could be used to install malware such as password sniffers or viruses...