The CESG, the Information Security Arm of GCHQ, reported that the JavaScript .watch() method could be used to overflow the 32-bit generation count of the underlying HashMap, resulting in a write to an invalid entry. Under the right conditions this write could lead to arbitrary code execution. The overflow takes considerable time and a malicious page would require a user to keep it open for the duration of the attack. External Reference: https://www.mozilla.org/security/announce/2016/mfsa2016-47.html
Acknowledgments: Name: the Mozilla project Upstream: CESG (the Information Security Arm of GCHQ)
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2016:0695 https://rhn.redhat.com/errata/RHSA-2016-0695.html