Mozilla Firefox before version 58.0.1 does not properly sanitize HTML fragments for chrome-privileged documents. An attacker could exploit this to execute arbitrary code. This issue did not affect Firefox for Android or Firefox 52 ESR. Upstream Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/ Upstream Issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1432966