Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that when window.__lookupGetter__ is called with no arguments the code assumes the top JavaScript stack value is a property name. Since there were no arguments passed into the function, the top value could represent uninitialized memory or a pointer to a previously freed JavaScript object. Under such circumstances the value is passed to another subroutine which calls through the dangling pointer, potentially executing attacker-controlled memory.
This is now public: http://www.mozilla.org/security/announce/2010/mfsa2010-67.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2010:0782 https://rhn.redhat.com/errata/RHSA-2010-0782.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0861 https://rhn.redhat.com/errata/RHSA-2010-0861.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0896 https://rhn.redhat.com/errata/RHSA-2010-0896.html