CVE 2008-2803

The mozIJSSubScriptLoader.LoadScript function in Mozilla Firefox before, Thunderbird and earlier, and SeaMonkey before 1.1.10 does not apply XPCNativeWrappers to scripts loaded from (1) file: URIs, (2) data: URIs, or (3) certain non-canonical chrome: URIs, which allows remote attackers to execute arbitrary code via vectors involving third-party add-ons.

See the CVE page on for more details.