|nsFrameManager in Firefox 3.x before 3.0.4, Firefox 2.x before
22.214.171.124, Thunderbird 2.x before 126.96.36.199, and SeaMonkey 1.x before
1.1.13 allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code by modifying properties of a file
input element while it is still being initialized, then using the blur
method to access uninitialized memory.