Security researcher regenrecht reported via TippingPoint's Zero Day Initiative that appendChild did not correctly account for DOM objects it operated upon and could be exploited to dereference an invalid pointer.
This is now public: http://www.mozilla.org/security/announce/2011/mfsa2011-30.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1166 https://rhn.redhat.com/errata/RHSA-2011-1166.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1164 https://rhn.redhat.com/errata/RHSA-2011-1164.html