A Mozilla Foundation Security Advisory reports for
deleted object reference when designMode="on"
Martijn Wargers and Nick Mott each described crashes that
were discovered to ultimately stem from the same root cause:
attempting to use a deleted controller context when designMode
was turned on. This generally results in crashing the browser,
but in theory references to deleted objects can be abused to
run malicious code.
"splices" reported the same crash at the fan site MozillaZine and
on Bugtraq, incorrectly describing it as a buffer overflow.