|nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before
126.96.36.199, Thunderbird 2.x before 188.8.131.52, and SeaMonkey 1.x before
1.1.13 allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code by modifying properties of a file
input element while it is still being initialized, then using the blur
method to access uninitialized memory.