The navigator.plugins implementation in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle destruction of the DOM plugin array, which might allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via crafted access to the navigator object, related to a “dangling pointer vulnerability.”
blogs.sun.com/security/entry/multiple_vulnerabilities_in_mozilla_firefox
lists.fedoraproject.org/pipermail/package-announce/2010-September/047282.html
lists.opensuse.org/opensuse-security-announce/2010-10/msg00002.html
secunia.com/advisories/42867
support.avaya.com/css/P8/documents/100110210
support.avaya.com/css/P8/documents/100112690
www.debian.org/security/2010/dsa-2106
www.mandriva.com/security/advisories?name=MDVSA-2010:173
www.mozilla.org/security/announce/2010/mfsa2010-51.html
www.vupen.com/english/advisories/2010/2323
www.vupen.com/english/advisories/2011/0061
bugzilla.mozilla.org/show_bug.cgi?id=584512
exchange.xforce.ibmcloud.com/vulnerabilities/61658
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11969