Mozilla Firefox 100.0.2, Mozilla Firefox ESR 91.9.1 or Mozilla Thunderbird 91.9.1: An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process.