A bug was found in the way Thunderbird handles <img> tags. To quote the
checks don't work properly.
Thus, sandboxed script can access xbl.method's clone parent and xbl compilation
scope to run arbitrary code with chrome privileges.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
This flaw does not affect Thunderbird as previously thought. This is noted in
the upstream advisory: